[Klug-general] Auditing SSH login sessions

Alan Buchel alan at communitytechnology.org.uk
Fri May 27 14:38:33 UTC 2011 

lastb reveals failed login attempts. This is the output on one of our 
*younger* mailservers:

[root at zzero.org ~]# lastb |wc -l
1728705

Reminds one of the importance of secure ssh passwords, what are the 
chances of 1.7 million passwords matching one of yours?
There are good tricks with iptables to lock out IP's with x number 
failed attempts, but I have noted that most attackers will simply switch 
the attack to another IP in the botnet as soon as your iptables starts 
dropped their packets.. A good defence against brute-force remains to 
enforce ssh keys in /etc/ssh/sshd_config with:

PasswordAuthentication no
(BUT make sure your keys work before doing this or you get locked out of 
yer own server DOH!)

Simpler still, you can restrict the IPs that are allow to use ssh by 
configuring your  /etc/hosts.allow to restrict incoming, that seems to 
take the strain off iptables and avoid a mushrooming /var/log/*

On 27/05/11 12:40, James Morris wrote:
> On 27 May 2011 12:32, Alan at comm-tech<alan at communitytechnology.org.uk>  wrote:
>> last -a |grep accountname.
>>
>> lastb reveals failed login attempts. This is the output on one of our *younger* mailservers:
>>
>>
>>
>> [root at zzero.org ~]# lastb |wc -l
>>
>> 1728705
>>
>>
>>
>> Reminds one of the importance of secure ssh passwords, what are the chances of 1.7 million passwords matching one of yours?
>>
>> There are good tricks with iptables to lock out IP's with x number
>> failed
>> attempts, but I have noted that most attackers will simply switch
>> the attack to another IP in the botnet as soon as your iptables starts
>> dropped their packets.. A good defence against brute-force remains to
>> enforce ssh keys in /etc/ssh/sshd_config with:
>>
>>
>>
>> PasswordAuthentication no
>>
>> (BUT make sure your keys work before doing this or you get locked out of yer own server DOH!)
>>
>>
>>
>> Simpler still, you can restrict the IPs that are allow to use ssh by
>> configuring your  /etc/hosts.allow to restrict incoming, that seems to
>> take the strain off iptables and avoid a mushrooming /var/log/*
>>
>>
>>
>> On 27/05/11 12:40, James Morris wrote:
>>> On 27 May 2011 12:32, Alan at comm-tech<alan at communitytechnology.org.uk>  wrote:
>>>> last -a |grep accountname.
>>>
>>>> On 27/05/11 11:59, Colin McCarthy wrote:
>>>>> Hi all, especially server peoples :)
>>>>>
>>>>> I need to audit SSH sessions against a specific account.   This account is
>>>>> used by a company that is connected to our network via a VPN.  I need to
>>>>> know how many times, when and for how long, they login within a 30 day
>>>>> period.
>
>> On 27/05/11 11:59, Colin McCarthy wrote:
>>> Hi all, especially server peoples :)
>>>
>>> I need to audit SSH sessions against a specific account.   This account is
>>> used by a company that is connected to our network via a VPN.  I need to
>>> know how many times, when and for how long, they login within a 30 day
>>> period.
>

More information about the Kent mailing list