theholtsite

SSH Security

Today I read an article about SSH security in regards to annoying scripts that bombard sites with commonly-used logins via port 22 (SSH). I took two steps to make my site invisible to such scripts. First, I used my router to forward an undisclosed port to port 22, making scripts that scan for port 22’s availability to skip my site. Secondly, I configured sshd to only allow logins for my user name. Therefore all the script name spoofing (such as root) will be automatically disallowed. The following code shows the attacks my system was logging in /etc/system.log.


Feb 12 07:10:08 localhost sshd[1937]: Illegal user test from 211.156.185.39
Feb 12 07:10:15 localhost sshd[1939]: Illegal user guest from 211.156.185.39
Feb 12 07:10:25 localhost sshd[1941]: Illegal user admin from 211.156.185.39
Feb 12 07:10:32 localhost sshd[1943]: Illegal user admin from 211.156.185.39
Feb 12 07:56:28 localhost sshd[1958]: Illegal user test from 203.117.109.244
Feb 12 07:56:31 localhost sshd[1960]: Illegal user guest from 203.117.109.244
Feb 12 07:56:34 localhost sshd[1962]: Illegal user admin from 203.117.109.244
Feb 12 07:56:37 localhost sshd[1964]: Illegal user admin from 203.117.109.244
Feb 12 07:56:40 localhost sshd[1966]: Illegal user user from 203.117.109.244

  1. Hacker

    Poop! Foiled again!

  2. Ben

    Hehe, you don’t dig ssh… you dig a remote host!

    dig theholtsite.com

  3. jill

    yikes. This is total giberish to me! Anyone else? I guess people either read this blog and are like, “whaaa?” or are like “right on, i dig ssh logins via port 2” and they actually understand what they are saying.

Leave a Reply

Your email address will not be published. Required fields are marked *