| Posted by eccenpix, 12-23-2011, 08:29 PM | | I was checking firewall log for my server and found that there are at least 2 IPs getting blocked daily for failing SSH login.
About half of them are from China and rest from other countries in Europe, Asia, etc. Is this normal to see this many login attempts?
What would be the best way to secure SSH from unauthorized IPs? I am new to server configuration and still learning (I am Running Centos 5.x with WHM/cPanel)
|
| Posted by kazila, 12-23-2011, 11:00 PM | | By default the SSH port is set to 22 and by changing it you can cut down on unauthorized SSH login attempts significantly.
Here's how to do it:
Login into SSH and edit the sshd_config file which is located in the /etc/ssh directory.
Scroll down until you see the following line:
Delete the # symbol and change the 22 to a different port to your liking; it can be any number. It should look like this:
Save the file (CTRL-X), Y, and then enter. Finally, you just need to restart SSH
Thats it! Next time you SSH into your server, be sure to utilize the new port.
Good luck!
|
| Posted by bear, 12-23-2011, 11:29 PM | | Make sure you can log in before closing the original shell window!
This won't stop the attempts, it will make it harder to guess the right port before the firewall notices and bans. 2 per day is pretty small. Quite a lot more than that try on mine each day.
|
| Posted by fshagan, 12-24-2011, 12:04 AM | | I would also recommend installing a software firewall like CSF (from http://configserver.com ... it is free). CSF will provide a "security audit" and give you a few more pointers.
As bear said, make sure you can log in with another SSH session before closing your original window. Also, if you do have a firewall in place, be sure to add the new SSH port to the allowed ports.
|
| Posted by hoststopuk, 12-24-2011, 12:12 AM | | If you are using any firewall see to it that the new port is opened. If you have a static IP address, you can restrict SSH access to specific IP's using TCP Wrappers.
|
| Posted by hwsgeek, 12-24-2011, 12:28 AM | | If you see a lot of failed login attempt, your best course of action would be to secure your ssh service. Make sure you change ssh port, install lfd or bfd, install csf/apf.
|
| Posted by bear, 12-24-2011, 12:29 AM | | He is/was.
|
| Posted by Server Management, 12-24-2011, 12:45 AM | | OP Have you secured SSH correctly?
|
| Posted by fshagan, 12-24-2011, 12:29 PM | | You mean to tell me that his statement "I was checking firewall log for my server ..." should have led me to believe he already had a firewall? (Can't believe I missed that!)
I did lock myself out of a VPS using CSF after changing the SSH port. I made a typo on the "TCP IN" and TCP OUT" ports listing, and closed my initial SSH session and tried to log back in. It wasn't a disaster because of the WHM interface to CSF.
|
| Posted by ishan, 12-24-2011, 01:27 PM | | In addition to above you could setup an admin/wheel user and disable root login to SSH. After changing SSH port and disabling root login, I am not seeing any failed login attempts in our firewall logs.
|
| Posted by SafeSrv, 12-24-2011, 04:13 PM | | Disable pass auth and use keys - change ssh port - vpn the new port.
|
| Posted by fshagan, 12-24-2011, 08:45 PM | | That's primarily from changing the port. Otherwise, you would still be getting the people trying to log into port 22 with "admin" and "webmaster".
Before I changed SSH to another port I was getting over a dozen blocked intrusion attempts on my little VPS. The Internet is a scary place.
|
|
 Add to Favourites
 Print this Article
|
