[Klug-general] Auditing SSH login sessions
Alan Buchel
alan at communitytechnology.org.uk
Fri May 27 14:38:33 UTC 2011
lastb reveals failed login attempts. This is the output on one of our
*younger* mailservers:
[root at zzero.org ~]# lastb |wc -l
1728705
Reminds one of the importance of secure ssh passwords, what are the
chances of 1.7 million passwords matching one of yours?
There are good tricks with iptables to lock out IP's with x number
failed attempts, but I have noted that most attackers will simply switch
the attack to another IP in the botnet as soon as your iptables starts
dropped their packets.. A good defence against brute-force remains to
enforce ssh keys in /etc/ssh/sshd_config with:
PasswordAuthentication no
(BUT make sure your keys work before doing this or you get locked out of
yer own server DOH!)
Simpler still, you can restrict the IPs that are allow to use ssh by
configuring your /etc/hosts.allow to restrict incoming, that seems to
take the strain off iptables and avoid a mushrooming /var/log/*
On 27/05/11 12:40, James Morris wrote:
> On 27 May 2011 12:32, Alan at comm-tech<alan at communitytechnology.org.uk> wrote:
>> last -a |grep accountname.
>>
>> lastb reveals failed login attempts. This is the output on one of our *younger* mailservers:
>>
>>
>>
>> [root at zzero.org ~]# lastb |wc -l
>>
>> 1728705
>>
>>
>>
>> Reminds one of the importance of secure ssh passwords, what are the chances of 1.7 million passwords matching one of yours?
>>
>> There are good tricks with iptables to lock out IP's with x number
>> failed
>> attempts, but I have noted that most attackers will simply switch
>> the attack to another IP in the botnet as soon as your iptables starts
>> dropped their packets.. A good defence against brute-force remains to
>> enforce ssh keys in /etc/ssh/sshd_config with:
>>
>>
>>
>> PasswordAuthentication no
>>
>> (BUT make sure your keys work before doing this or you get locked out of yer own server DOH!)
>>
>>
>>
>> Simpler still, you can restrict the IPs that are allow to use ssh by
>> configuring your /etc/hosts.allow to restrict incoming, that seems to
>> take the strain off iptables and avoid a mushrooming /var/log/*
>>
>>
>>
>> On 27/05/11 12:40, James Morris wrote:
>>> On 27 May 2011 12:32, Alan at comm-tech<alan at communitytechnology.org.uk> wrote:
>>>> last -a |grep accountname.
>>>
>>>> On 27/05/11 11:59, Colin McCarthy wrote:
>>>>> Hi all, especially server peoples :)
>>>>>
>>>>> I need to audit SSH sessions against a specific account. This account is
>>>>> used by a company that is connected to our network via a VPN. I need to
>>>>> know how many times, when and for how long, they login within a 30 day
>>>>> period.
>
>> On 27/05/11 11:59, Colin McCarthy wrote:
>>> Hi all, especially server peoples :)
>>>
>>> I need to audit SSH sessions against a specific account. This account is
>>> used by a company that is connected to our network via a VPN. I need to
>>> know how many times, when and for how long, they login within a 30 day
>>> period.
>
More information about the Kent
mailing list