Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Our system used to get bombarded by bots trying to login to the ssh client on th

ID: 659729 • Letter: O

Question

Our system used to get bombarded by bots trying to login to the ssh client on the standard port. After switching to another port number the failed login attempts basically stopped completely. Recently, in the past week there has been a few unknown i.p. addresses attempting to login ( on average about 60 attempts a day) that appear to be on a few different networks coming from the same isp in china.

I have no security experience, other than basic setup of clients and changing passwords etc.

We are using logwatch to gather some information on the login attempts. What is the key information I will need about the attempts to analyze the situation and take action?

What are basic steps to make sure we have not already been breached?

What other actions I should take?

Explanation / Answer

Another suggestion, thats is actually better than fail2ban, is to firewall off ALL ips EXCEPT for a few permitted ones.

Thus lets say you have a SSH server at home that you access from your vacation home (3G mobile broadband) and your work.

Your work propably have a static IP. Simple to tell the firewall to allow through packets for this IP.

3G mobile broadband Changes each Connection, but you can easly look in WHOIS which is the ISPs assigned series. For example: "123.123.0.0 to 123.123.255.255". Then you tell your firewall to let through 123.123.0.0/16 to port 22 on your server.

Even in this case you have allowed every customer on that 3G mobile operator to authenticate against your SSH server, but STILL its a HUGE security improvement, since instead of allowing the whole World to authenticate against your SSH server, you have instead limited this to only customers having a specific ISP account in one country.

Country locks are also a very good idea if you have multiple users on your SSH server but you know that all users are in a specific country. For example if you sold webhosting to them, but using a payment method that can only be used by Citizens in a specific country. Then its safer to simply lock all countries except for the countries you accept customers from.

Another step you can take is to limit the rate of login using iptables such as this :

iptables -A INPUT-p tcp --dport 22 -m conntrack --ctstate NEW -m limit --limit 3/minute --limit-burst 3 -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

using two firewall rules above limit any login attempts to 3 times a minute. modify accordingly to your needs.

Related Questions

Our model must now consider significant changes that will occur next year: Medic
Question #366774
Our most recent presidential campaign has highlighted the issue of American trad
Question #1113182
Our network admin has requested that a single remote employee purchase a separat
Question #659437
Our next discussion thread includes content related to marketing plan (Fitness S
Question #359591
Our next game will be built on Javascript/HTML5 Canvas rather than ActionScript/
Question #641880
Our next topic involves this week’s Preventing Kickback Schemes article. QUESTIO
Question #3861074
Our nutrition and eating patterns are shaped by our perceptions of food; what we
Question #237134
Our nutrition and eating patterns are shaped by our perceptions of food; what we
Question #237200
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Our system is composed of a block with mass m which is moving with the initial s
Next
Our task is to measure the volume of blood in a live hippopotamus. One way to do

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.