Today I read an article about SSH security in regards to annoying scripts that bombard sites with commonly-used logins via port 22 (SSH). I took two steps to make my site invisible to such scripts. First, I used my router to forward an undisclosed port to port 22, making scripts that scan for port 22’s availability to skip my site. Secondly, I configured sshd to only allow logins for my user name. Therefore all the script name spoofing (such as root) will be automatically disallowed. The following code shows the attacks my system was logging in /etc/system.log.
Feb 12 07:10:08 localhost sshd[1937]: Illegal user test from 211.156.185.39
Feb 12 07:10:15 localhost sshd[1939]: Illegal user guest from 211.156.185.39
Feb 12 07:10:25 localhost sshd[1941]: Illegal user admin from 211.156.185.39
Feb 12 07:10:32 localhost sshd[1943]: Illegal user admin from 211.156.185.39
Feb 12 07:56:28 localhost sshd[1958]: Illegal user test from 203.117.109.244
Feb 12 07:56:31 localhost sshd[1960]: Illegal user guest from 203.117.109.244
Feb 12 07:56:34 localhost sshd[1962]: Illegal user admin from 203.117.109.244
Feb 12 07:56:37 localhost sshd[1964]: Illegal user admin from 203.117.109.244
Feb 12 07:56:40 localhost sshd[1966]: Illegal user user from 203.117.109.244
Leave a Reply