Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > SSH Root Access Attempts


SSH Root Access Attempts




Posted by Christian Little, 02-11-2011, 10:19 PM
We're starting to see a number of SSH root access attempts on one of our servers, example: When you get something like this popup, do you just let the firewall block them? Or do you take it a step further and contact the ISP that the request originated from usually? We're trying to figure out our policy on these probing attempts since they are increasing in frequency and would like opinions from the rest of you.
Posted by jackpx, 02-11-2011, 10:25 PM
Change for the ssh, install CSX
Posted by Squidix - SamBarrow, 02-11-2011, 10:42 PM
I got at least 20 of these today, and that's only on the servers which have notifications going straight to my email. Just let the firewall do it's job.
Posted by FLDataTeK, 02-11-2011, 11:33 PM
If you are running SSH on port 22 then yes you will get those alot.. I would suggest moving SSH to a random port number then you will not see them as much.. Other than that.. let the FW do the job..
Posted by greatseeder, 02-11-2011, 11:41 PM
Changing the default port which you seem to have done in combination with a good firewall is all you need. Further security steps would be to disable the Root SSH login, which prevents them from brute forcing it if they find out which port you are using.
Posted by Christian Little, 02-11-2011, 11:48 PM
I'll look into CSX, is it reliable enough? Changing the port number won't fix it, look at the port numbers they are probing in the example above (ie. 60313, 35531, etc). Each attempt is on a completely random port #. As for disabling SSH to prevent a brute force method like greatseeder suggests, I think our firewall can handle that. It's currently set to block an IP once 5 failed login attempts occur, a brute force attack would use several million attempts so I think we're secure there.
Posted by foobic, 02-12-2011, 12:16 AM
I think you'll find it will. Those are the ips / ports they're probing from, they're still connecting to your server on 22.
Posted by bsdvps, 02-12-2011, 01:26 AM
I've had brute force attempts on 2222/tcp before.
Posted by Christian Little, 02-12-2011, 01:42 AM
Ahhh...my bad lol OK, I've changed the SSH port and blocked 22, lets see how that plays out. Thanks
Posted by StealthyHosting, 02-12-2011, 01:42 AM
If you spent time reporting every brute force attempt to every ISP youw ould spend days... Change the SSH port and let the firewall do it's job.
Posted by LVPSHosting, 02-12-2011, 02:39 AM
Block all IP addresses except your ISP provider in the firewall for the SSH port.
Posted by ZenMonk, 02-12-2011, 03:15 AM
Yes as mentioned by lvpshost, drop all traffic to your ssh port by default in iptables and allow the ips from which your or your staff connects. If you are on a dhcp, make sure to allow the range of ips in firewall.
Posted by Christian Little, 02-12-2011, 12:24 PM
I like that idea, I'll give it a shot if changing the port # doesn't stop the intrusion attempts.
Posted by Squidix - SamBarrow, 02-12-2011, 12:36 PM
I don't bother changing the port. Security by obscurity isn't real security, it just makes it more of a pain for me to use since I always forget which port I used. We have root login disabled and very secure passwords on all servers. By the, CXS is a whole different tool, used for identifying suspicious files on your server, it won't help with this at all. I would recommend using it though.
Posted by srider, 02-12-2011, 12:43 PM
I use CSF firewall and on servers that my clients do not access I have it set to ban an IP after two failed login attempts. For servers that my clients do use I allow 3 failed attempts but I also add their primary IP, if they have one that is static, to the csf.ignore file so they are never banned. I have the unusual situation of being personally acquainted with almost all of my clients so I'm able to trust them more than one might trust a stranger.
Posted by iTom, 02-12-2011, 01:04 PM
Move SSH port if its still on 22, and let the firewall do it's job. Also disable root login's
Posted by Hostify Networks, 02-12-2011, 07:07 PM
You can disable those emails in the configuration. If you don't, expect your inbox to fill up with them. As long as you have a strong password consisting of upper and lowercase letters, numbers, and symbols, you should be fine.
Posted by jankocharlie, 02-12-2011, 10:24 PM
Christian Little: Do you have a dedicated IP to connect to your server? If yes then you can block access to server (SSH) from all others. just add the following in the /etc/hosts.deny file SSHD: ALL EXCEPT "YOURIP"
Posted by mugo, 02-13-2011, 03:33 AM
Something simple you can add, Denyhost or Fail2Ban that blocks IPs once so many attempts are made. Using key-based and non-password auth is an even better method. Want to get really edgy? Portknocking. Put a combo-lock on that sucker.
Posted by netmar, 02-13-2011, 02:19 PM
Someone already mentioned csf, which is a good tool for blocking all sorts of flood attacks, so I'll just add fail2ban as a lighter alternative. You should be able to get it from repo if you're using Ubuntu/Debian or CentOS/RHEL (at least in RPMforge). It's fairly small and straightforward, and easier to setup than csf.
Posted by EMBRobert, 02-13-2011, 02:28 PM
Change port, use keys, use csf and tcp wrappers.
Posted by Website themes, 02-13-2011, 04:14 PM
What about from a performance point of view? Do you really have CPU cycles to waste on bots that keep probing port 22? To the OP, in addition to moving fromport 22 you really should turn off password based authentication and switch to public key crypto.
Posted by jon-f, 02-13-2011, 04:45 PM
Well you definitely need some sort of script like CSF or apf/bfd. Csf being the better of the two. No matter what though as long as your ssh is on standard port you will get brute force attempts, mainly from other compromised servers scanning ranges for port 22 being open then attempting to brute force login. With CSF it will ban after so many attempts, I think 5 or 10 default but you will still get them until you change ssh port. Some people recommend using some high range port like 65530 or something. I recommend using something between 1 and 1024 that only root can open. That will stop automated attempts but if you are under a targeted hack it is still easy top find your ssh with port scan so changing it is mainly a way to prevent automated attacks.
Posted by Squidix - SamBarrow, 02-13-2011, 07:46 PM
With a server running hundreds of php/mysql sites, I'd say those SSH attempts use about .001% of our cpus. My time and trouble to remember ssh ports as well as hand them out to all my employees is worth more than that.
Posted by WW_P, 02-14-2011, 12:11 AM
I still run 22 or 2222 or 22222 on all servers, but disable password auth and only use Keyfile Auht - fixes most of the issues.
Posted by DewlanceHosting, 02-14-2011, 12:55 AM
Change your ssh port to other port(don't use 22 or 2222) You can change your port to 43, etc.. and disable Password authorization, For SSH Access use ssh key authorization. If you're using a CSF then don't forget to add your new port in CSF and remove 22 port from CSF(Just replace your 22 port with new port in CSF Config..)


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
So with 30 TERABYTES of space... (Views: 670)
ManageMyBox down? (Views: 817)
Windows server 2008 rc2 help. (Views: 711)
Very poor customer service from webkore.net (Views: 712)
cPanel DNSONLY Cluster Migration (Views: 738)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.