Crazy Croutons

“Y'all need to get your shit together! You hear me, humans? Your shit is all outta whack! You're all over the place like a bunch of crazy croutons and tomatoes in a crazy salad!” *

Patrick Renner's
public bookmarks on weird stories, beautiful products, loud music and stunning images.

flickr.com/photos/iptrk

twitter.com/iptrkpm

pomfort.com

Archive / RSS

September 28

Silence on port 22

We are running some Linux-based root servers for our development infrastructure for quite a while and have been constantly annoyed by dictionary- and brute-force-attacks via ssh (up to thousands per day on weekends).

The most important rules to not getting hacked are:

Use good passwords, for every user (login: “test”, password “test”, you know what I mean…).
Don’t allow “technical” users (such as apache, daemon, mail, etc.) to login with a shell (configured in /etc/passwd).

Then you don’t get hacked with the first few dictionary attacks.

Some passive solutions that might not work for everyone:

No ssh login with passwords, only via key authentication (secure but not practical, if you have to login from lots of (public) machines) and/or
don’t allow root to login directly via ssh anyway (hides at least the root login from login attacks) and/or
change port for ssh from 22 to something weird (which reduces the number of attacks but counts as security by obscurity).

We finally chose one of the semi-active solutions:

Install something like denyhosts,
fail2ban or
sshdfilter.

These tools will analyze the system logs and block traffic from addresses with too many failed login attempts. This prevents attackers trying too often, saves traffic and load and is much easier to configure than a laborious ruleset for a firewall.