# Is this normal? I think I'm under attack...



## deltatux (Jun 21, 2010)

Hey guys,

I'm running a small SSH server at home. It's running FreeBSD 8.0p2 and I was just doing some routine maintenance when I spot tons of these entries in my /var/log/messages file.





Is this normal or should I be concerned as a server admin? Any server admins out there can help me how to thwart these attacks? Do I need to contact my ISP?

I do have ipfw as my firewall and it is turned on.

Cheers,
deltatux


----------



## lme@ (Jun 21, 2010)

This is normal. Just a scripted ssh attack. Be sure to have strong passwords for your users, don't permit root login via ssh (/etc/ssh/sshd_config) or better disable password authentication at all and only allow pubkey based auth. You might also want to change the port sshd is listening to from 22 to something else.


----------



## SirDice (Jun 21, 2010)

Installing security/sshguard may help. Although in this case I doubt it. It seems they're using a distributed attack these days. Meaning every login failure will be from a different IP address.


----------



## deltatux (Jun 22, 2010)

Thanks for the replies. Ever since I posted the original message, I have since changed my SSH port from the default 22 to something else.

I also installed something called Denyhosts. However, is the SSHGuard better than Denyhosts or they are just as effective?

Thanks,
deltatux


----------



## jalla (Jun 22, 2010)

FWIW I haven't seen a single attack for more than 6 months after changing to a nondefault portnumber.
I still have denyhosts watching that port though, in case the stupid bastards starts scanning a wider portrange.


----------



## Monoecus (Jun 22, 2010)

A very effective way to reduce the amount of attacks for me was to tell my pfSense firewall to allow only 1-2 connections per 2 seconds or so. This way, the attackers usually gave up immediately and I ended up having about 5-10 attacks a day.
As mentioned previously of course, you should not use password authentication at all but only public key authentication and access to a specified list of users.


----------



## deltatux (Jun 24, 2010)

Monoecus said:
			
		

> A very effective way to reduce the amount of attacks for me was to tell my pfSense firewall to allow only 1-2 connections per 2 seconds or so. This way, the attackers usually gave up immediately and I ended up having about 5-10 attacks a day.
> As mentioned previously of course, you should not use password authentication at all but only public key authentication and access to a specified list of users.



how does this public key thingy work?

Thanks,
deltatux


----------



## kdemidofff (Jun 24, 2010)

use putty (or other ssh client) and ssh-keygen to generate keys, edit sshd_config after u get key working to disable password authentication
check out Google how to do this (you probably will need to convert keys use PuTTYgen)


----------



## deltatux (Jun 24, 2010)

kdemidofff said:
			
		

> use putty (or other ssh client) and ssh-keygen to generate keys, edit sshd_config after u get key working to disable password authentication
> check out Google how to do this (you probably will need to convert keys use PuTTYgen)



then how do I login using Filezilla and such? I also use SSH on different systems and I think if I use this keygen, the keys are different for each machine I use to access SSH...

Cheers,
deltatux


----------



## kdemidofff (Jun 24, 2010)

You will have 1 private key and 1 public key
You will paste public key to servers .ssh/authorized_keys and use private key (if you generate it on freebsd you need to convert) inside putty or putty Pageant


----------



## deltatux (Sep 11, 2010)

Sorry for raising this thread from the grave but how do I convert it and then tell PuTTY to use the private keys?

Also, how do I apply it to .ssh/authorized_keys?

Thanks,
deltatux


----------



## lme@ (Sep 11, 2010)

Putty has a keygen-tool which can import OpenSSH keys.


----------



## deltatux (Sep 12, 2010)

There's only one putty.exe that's in my Putty folder. Sorry if I sound like a total noob but where's this keygen-tool?

Thanks,
deltatux


----------



## DutchDaemon (Sep 12, 2010)

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html


----------

