Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: bakedjake
Is this high or low? I've moved ssh onto a port > 10000 but this number hasn't gone down any since the move. I guess [or hope] that LogWatch is reporting attempts on invalid ports.
Is there anything else I can do? SSH only allows log in from 2 users (not root) and both have strong passwords.
I use Webmin and there are 2 sections for ports. The first section is "Listen on Address" and as a second part of that "Listen on port" where default was radio box selected. Right below that was a single entry called "Listen on Port" where I had changed the port.
I just changed the first section to use the new port and will see if that decreases the number of attempts today.
Thanks for the suggestion.
Also there are some options within SSH itself that can help.
This limits the number of password attempts per connection. For a brute-force attack a low number means the attacker has to initiate another connection to the server. This slows down the attack.
You could switch to key only authentication and disable passwords completely.
Lastly, there are tools such as DenyHosts:
Which can auto-block offending IP addresses.
I've recently saw a PAM module that did the same thing. I need to dig up the link. I like the PAM module as it is relatively transparent to most applications and protects SSH as well as other systems that use PAM authentication.