

Your server is vulnerable brute force password guessing: solution? - emmett
http://blog.emmettshear.com/post/2007/08/22/Insecure-By-Default

======
nostrademons
I have logwatch send me a daily report of any authentication failures on our
server. The results for today:

    
    
          root (61-90-254-50.static.asianet.co.th): 399 Time(s)
          unknown (200.207.3.135): 6 Time(s)
          jonathan (pool-96-233-42-251.bstnma.east.verizon.net): 1 Time(s)
          mysql (200.207.3.135): 1 Time(s)
          root (200.207.3.135): 1 Time(s)
          unknown (61-90-254-50.static.asianet.co.th): 1 Time(s)
          unknown (62.147.231.49): 1 Time(s)
    

Basically, we have bots attempting to crack us daily. And this is a site
that's done very little publicity and isn't really known at all throughout the
Internet. The crackbots started even before we officially launched.

I'll probably implement the denyhosts tip on our box, along with disabling
root login for SSH. But this should highlight the importance of using
difficult-to-guess non-dictionary passwords. You _will_ be attacked; don't
make it easy for them.

------
nickb
I think there is a better way. Disable ftp, telnet etc. Disable everything not
needed (just leave web server, postfix and sshd running) and disable root
account and disable SSH password authentication completely and choose key
authentication instead. You will never have to worry about someone running a
cracker.

------
staunch
Ideally use a VPN connection to get into your internal network and firewall
off all outside access.

Your goal should be to prevent anyone from ever connecting to your sshd
process at all. If they can do that you're in danger. Make it listen on a
different port, so you're not the easiest target and use iptables to block
access to all but your office/home ip range. Various forms of port knocking to
poke a hole in the iptables firewall can be used to allow mobile access, etc.

------
dfranke
A nice variation on this theme is PortSentry, a portscan detector. I have it
configured so that whenever it detects a portscan, it'll blackhole that IP for
a few hours.

------
extantproject
<http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config>

------
palish
Cool. Thank you for this tip. We're about to go live using Debian, so the
extra security can't hurt.

------
portLAN
[ - Redacted - ]

Alas, News.YC doesn't cope with Unicode.

------
epi0Bauqu
pwgen

