I'm having SSH2 login attempts in my auth.log on ports like 46580 This port should be blocked by my firewall. How are people even getting a change to try and log in? I'm getting very frequent login attempts with things like admin admin and other common generic passwords. It's obvious somebody is trying to get in. How can I stop them? They are making around 10 attempts with a different IP every day.
If you don't need SSH on the server simply stop SSH and don't load it on reboot. service sshd stop chkconfig sshd off
Will this howto also work with Ubuntu? I know they are both debian based but some things on Deb don't always work with Ubuntu.
Thanks I just installed it. Surprisingly it was already in the repositories. I will be testing it and checking how well it works on my server.
You can also check this out! http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts Shortly after I set my servers up I noticed a bunch of network traffic and found the same things in the auth.log... After installing denyhosts all the hacking attempts came to a halt! Fordwrench
I see the fail2ban howto mentions the denyhosts... I found the denyhosts howto first so that is what I used... Fordwrench
Wow, it took a little bit but I got it to work. For Ubuntu all you have to do is install it with the default settings. The suggested script in the howto causes the program to have errors. Step 1: apt-get install fail2ban Step 2: Open up System Log Viewer Step 3: Find /var/log/fail2ban.log And watch the scipt kiddies get banned. Also, I changed the ban time to 5 days. My script kiddies I guess are more persistant than most. Thanks Till I feel like my server is much more secure.
