Wow. It took a whole day for the world to find me after I opened port 22. I always assumed VPS providers were *huge* targets for the botnet crowd, so I'm not surprised.

What does surprise me is the sheer stupidity of the probes. 349 attempts in 15 minutes from one box at Datotel, all trying to ssh root on high ports. Ha! (Yes, I shared this with the @abuse contact for Datotel.) At least the probes routed through Taiwan and the PRC tried common-user-name attacks and gave up after a dozen failures.

I'd forgotten how amusing syslog could be.

Just in case you don't know of it, fail2ban is great.

Switching the port in sshd_config to some random large number works miracles too. But yeah, fail2ban or denyhosts do their work nicely.
I'm actually considering setting up a second sshd on 22, configured to refuse and log every connection. Some providers actually react to abuse@ emails, after all...

It's fun to tail those sometimes, because you see things like:


So that single administrator with 'harrypotter' on his box had better watch out.

_________________
Disclaimer: I am no longer employed by Linode; opinions are my own alone.

Voldemort, is that you?

_________________
/ Peter

So "Alohomora" didn't work eh?

Unless you have a real need for keyboard-interactive authentication, it's far better to go key-only. Good luck brute-forcing an RSA key!

On the other hand, that doesn't really help stop the logs from getting spammed with failed login attempts, so either fail2ban or a firewall rate-limiting rule for new SSH connections is still a good idea.

_________________
Bus error (passengers dumped)

Most bots are smart enough to look at the authentication methods and ignore the host if it doesn't offer keyboard-interactive. Why? Because they aren't getting in, so why waste the time?

That said, the single best thing you can do is simply change the port (and add two lines to ~/.ssh/config to make it transparent).

Can you tell me which lines you're talking about?

Ah, I see what you're saying, it's so you don't have to type the -p 8947, part.

Thanks.

If you need to get out of a corporate firewall, use port 443 if it is available on your Linode. Several people at my office do this, works great.

I still see see a very few scans daily on 443, but mostly for the same users every time - root, admin and cisco.

James

DenyHosts is also good, and you can get a munin graph to see how many haxxors tried and failed.

Even if you can't use SSH over 443, you can almost definitely tunnel SSH traffic via your proxy on port 443.

If you want to also run an HTTPS server, look into sslh [http://www.rutschle.net/tech/sslh.shtml]

Very interesting -- thanks for the tip.

_________________
/ Peter