Welcome to WebmasterWorld Guest from 54.234.114.182

Forum Moderators: bakedjake

Message Too Old, No Replies

How many attempts to log into your web server daily?

     
2:51 pm on Dec 5, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 18, 2003
posts:629
votes: 0


LogWatch reports an average of about 10,000 attempts to log into sshd per day.

Is this high or low? I've moved ssh onto a port > 10000 but this number hasn't gone down any since the move. I guess [or hope] that LogWatch is reporting attempts on invalid ports.

Is there anything else I can do? SSH only allows log in from 2 users (not root) and both have strong passwords.

5:57 am on Dec 6, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 31, 2003
posts:1316
votes: 0


I'd suspect that sshd is still listening on the default port as well as the custom one. 10,000 attempts on a custom port seems quite unusual. Also, LogWatch shouldn't report attempts on invalid ports, unless it's reading an iptables log (and by default, there isn't an iptables log).
4:33 pm on Dec 8, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 18, 2003
posts:629
votes: 0


You might be right about it still listening on the default port.

I use Webmin and there are 2 sections for ports. The first section is "Listen on Address" and as a second part of that "Listen on port" where default was radio box selected. Right below that was a single entry called "Listen on Port" where I had changed the port.

I just changed the first section to use the new port and will see if that decreases the number of attempts today.

Thanks for the suggestion.

4:47 pm on Dec 13, 2008 (gmt 0)

Senior Member from MY 

WebmasterWorld Senior Member vincevincevince is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 1, 2003
posts:4847
votes: 0


10k attempts is nothing unusual. If I feel like it, I will report the most persistent offenders.
whois the.ip.add.ress

Abuse email details for their ISP are usually listed.
4:22 am on Dec 29, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:May 4, 2004
posts:489
votes: 0


That's about what I was getting before switching ports. Now when I get a notice about an invalid login it's usually me mistyping my password.
11:22 pm on Jan 14, 2009 (gmt 0)

New User

5+ Year Member

joined:Jan 14, 2009
posts: 40
votes: 0


If you can limit access via iptables, then you can block all of this. Most versions of SSH use tcp wrappers so you can use /etc/host.allow /etc/host.deny if you are not comfortable using iptables.

Also there are some options within SSH itself that can help.

MaxAuthTries #

This limits the number of password attempts per connection. For a brute-force attack a low number means the attacker has to initiate another connection to the server. This slows down the attack.

You could switch to key only authentication and disable passwords completely.

Lastly, there are tools such as DenyHosts:
[denyhosts.sourceforge.net...]
Which can auto-block offending IP addresses.

I've recently saw a PAM module that did the same thing. I need to dig up the link. I like the PAM module as it is relatively transparent to most applications and protects SSH as well as other systems that use PAM authentication.

11:32 pm on Jan 14, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:May 31, 2008
posts:661
votes: 0


We've introduced port knocking a while back ... gives you that extra feeling of security because no brute force-tries are coming through.
plus it's nice to look at auth.log and actually see relevant data ... funny enough I was looking at it and saw that one webdesigner continually failed to log in ... so I called him and asked if he had forgotten his password, turns out, he was just seconds away from calling me and got spooked ;)
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members