homepage Welcome to WebmasterWorld Guest from 107.20.25.215
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
How many attempts to log into your web server daily?
BradleyT




msg:3800861
 2:51 pm on Dec 5, 2008 (gmt 0)

LogWatch reports an average of about 10,000 attempts to log into sshd per day.

Is this high or low? I've moved ssh onto a port > 10000 but this number hasn't gone down any since the move. I guess [or hope] that LogWatch is reporting attempts on invalid ports.

Is there anything else I can do? SSH only allows log in from 2 users (not root) and both have strong passwords.

 

mcavic




msg:3801453
 5:57 am on Dec 6, 2008 (gmt 0)

I'd suspect that sshd is still listening on the default port as well as the custom one. 10,000 attempts on a custom port seems quite unusual. Also, LogWatch shouldn't report attempts on invalid ports, unless it's reading an iptables log (and by default, there isn't an iptables log).

BradleyT




msg:3802636
 4:33 pm on Dec 8, 2008 (gmt 0)

You might be right about it still listening on the default port.

I use Webmin and there are 2 sections for ports. The first section is "Listen on Address" and as a second part of that "Listen on port" where default was radio box selected. Right below that was a single entry called "Listen on Port" where I had changed the port.

I just changed the first section to use the new port and will see if that decreases the number of attempts today.

Thanks for the suggestion.

vincevincevince




msg:3806835
 4:47 pm on Dec 13, 2008 (gmt 0)

10k attempts is nothing unusual. If I feel like it, I will report the most persistent offenders.
whois the.ip.add.ress
Abuse email details for their ISP are usually listed.

Nutter




msg:3815379
 4:22 am on Dec 29, 2008 (gmt 0)

That's about what I was getting before switching ports. Now when I get a notice about an invalid login it's usually me mistyping my password.

jeffatrackaid




msg:3826556
 11:22 pm on Jan 14, 2009 (gmt 0)

If you can limit access via iptables, then you can block all of this. Most versions of SSH use tcp wrappers so you can use /etc/host.allow /etc/host.deny if you are not comfortable using iptables.

Also there are some options within SSH itself that can help.

MaxAuthTries #

This limits the number of password attempts per connection. For a brute-force attack a low number means the attacker has to initiate another connection to the server. This slows down the attack.

You could switch to key only authentication and disable passwords completely.

Lastly, there are tools such as DenyHosts:
[denyhosts.sourceforge.net...]
Which can auto-block offending IP addresses.

I've recently saw a PAM module that did the same thing. I need to dig up the link. I like the PAM module as it is relatively transparent to most applications and protects SSH as well as other systems that use PAM authentication.

janharders




msg:3826565
 11:32 pm on Jan 14, 2009 (gmt 0)

We've introduced port knocking a while back ... gives you that extra feeling of security because no brute force-tries are coming through.
plus it's nice to look at auth.log and actually see relevant data ... funny enough I was looking at it and saw that one webdesigner continually failed to log in ... so I called him and asked if he had forgotten his password, turns out, he was just seconds away from calling me and got spooked ;)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved