i have noticed in my /var/log/secure somebody doing repeated attempts to login and i have left port 22 open. I see many invalid attempts with different usernames and one other like "getaddressinfo BREAKIN ATTEMPT" how to prevent such attempts?
If you're so concerned about it, simply don't leave port 22 open. Use a different, unused port. And make sure direct root login is off. You can set this in /etc/ssh/sshd_config by changing PermitRootLogin to "no". Lastly, disable password login altogether. Use SSH keys for login which are inherently more secure (and convenient) than any passwords.
how do i do that? will i be able to connect with SSH from various places. i guess i should have the Public key always.
you need normally 1. a laptop ( or desktop ) 2. the keypairs installed properly on server+laptop if you do NOT have a dedicated server, then you may have to ask your host to disable password-login AFTER successful installing serverkey authentication if you have dedicated server, then you do that part yourself. if you need several computers to be enabled for serverkey login, then you just repeat the procedure to enable serverkey authentication for each authorized machine.
Dont use the default port, 22. Instead of, use some non standard ports. Make sure that your firewall is not blocking that port before going to do any change. Vivek
Change the default port to something other than 22. Disable direct root login (be sure to create a new user account in the wheel group first) Install APF or CSF firewall Install Brute Force Detection (BFD) ..You can download it here: http://www.rfxnetworks.com/downloads/bfd-current.tar.gz This will help to prevent you from being brute-forced. If you need someone to secure your server check my signature.
What you're witnessing is a worm trying to brute force crack passwords to your server. It gets highly irritating having to look at these in the logs when trying to find other information. Your best bet is to do what the other dozen people here (except for 1 or 2) said to do and change the default port on your SSH installation.
Why are you not running a firewall on this server only allowing your IP's to connect. iptables can pretty much do anything under the sun.
If you do choose to put ssh on a non-standard port, make sure you don't use a port that is used for something else normally. The guy who set up the server my site is on chose a port that happens to be normally used for another application and now we get worms bruteforcing logins for that application. They'll never succeed because they aren't attempting the SSH protocol but we still get the same annoying log messages.
Ive bound my ssh port onto a completely separate ip to my server ip and changed the port to a random number then added a ns entry a possible hacker will then have to find the seperate ip im using find the number then find the ns im using then guess my password which is 16 characters long and numbers/letters/characters upcase and lowercase+ chinese characters+ french characters then ive installed apf+bfd and a brute force in whm so im pretty secure but i think ssh keys are the way forward
I wrote a short blurb on fail2ban a while back: http://forums.digitalpoint.com/showthread.php?t=512185 Look around for more details on the setup, it's pretty straightforward. It's been working like a champ on my Debian box for months - simply set it and forget it. SSH attackers (along with other common exploit/relay attempts) are dropped via iptables rules on the fly.
even I was quite surprised to see many SSH connections in my VPS and got scared lol.. then googled out and found about private and public keys... I have set them up and disable password login. As I just use my laptop for logging into SSH i have no problem as the key is set here If you are going to login from diff locations that might be a problem you need to carry your key with you or else put it up on a secure location on the web. _
Do this. Firstly if you got something like iptables, fix it up so that only your IP address is allowed to ssh to the box and all other IP addresses are dropped. Secondly you can also move the ssh server to a different port from 22 but if you fixed your iptables to only allow your own IP address to tunnel in then nobody else can bruteforce your box.
Doesn't matter, you can allow a subnet that i know my IP falls in and block the rest of the internet.