Ubuntu Server SSH
I have a server with ubuntu. I do work on it over SSH. I had a problem with brute force attempts over port 22. I changed the port and I assumed it fixed the brute force problem. Am I right or are the attempts on another port just not logged anymore in /var/log/auth.log?
To avoid bruteforce attacks here is what i do:
- Change ssh port
- Install denyhosts
- Limit number of connections per second on ssh port
- Use only keybased no root ssh, instead use sashroot if needed, or console login
- port knocking to open ssh port in some case
[EDIT]
- create a canssh group, add the people whom i wanna give ssh to this, add "AllowGroups canssh" to sshd_config. And set DENY_THRESHOLD_(IN)VALID*/ROOT in denyhosts to 1 e.g. one wrong ssh as root or (in)valid user, and your ip is blocked, add my ips to hosts.allow, create ~/.ssh/config and define which ssh-key to use for which server and create aliases say:
- alias ssyc = 'ssh [email protected] -i yahoo-com.identity.rsa'
[/EDIT]
[EDIT]
- Use logwatch to email you important logs...
[/EDIT]
And as mentioned earlier, in case of bot attacks, they try 22 by default, so i guess you aren't being targeted any more.
Links:
- https://help.ubuntu.com/community/PortKnocking
- https://help.ubuntu.com/community/InstallingSecurityTools
- http://www.ubuntugeek.com/securing-ssh.html
- http://www.google.com.pk/search?hl=en&q=iptables+OR+shorewall+limit+ssh+connections+per+sec
- http://www.linux.com/feature/34958
- http://www.howtoforge.com/ssh_key_based_logins_putty
The attempts are probably just generated by bots trying to get easy access. Unless someone is specifically targeting your system, they won't even look on a different port.
Security by obscurity.