mrflash818 (mrflash818) wrote in debian,

sshd protection - advice desired

Following SGVLUG presentation on ssh tricks, I setup an sshd server instance
on my debian workstation, using public key auth, and was able to be
successful.

I made sure to disable root login, and any password login attempts by
modifying sshd_config.

In the hour I was testing the new wonder, I was also tail-ing my auth log.

To my chagrin, in the two times I tested, I had many attempts to access my
ssh:

Oct 18 01:59:55 pip sshd[26361]: Invalid user oracle from 197.112.2.4
Oct 18 02:00:02 pip sshd[26367]: Invalid user test from 197.112.2.4
Oct 18 02:08:34 pip sshd[26596]: Invalid user test from 197.112.2.4
Oct 18 02:08:42 pip sshd[26599]: Invalid user test from 197.112.2.4
Oct 18 03:12:02 pip sshd[27000]: Invalid user oracle from 111.87.108.120
Oct 18 03:12:09 pip sshd[27003]: Invalid user test from 111.87.108.120
...
Oct 18 10:48:01 pip sshd[27953]: Invalid user peter from 184.105.177.21
Oct 18 10:48:07 pip sshd[27956]: Invalid user peter from 184.105.177.21
Oct 18 10:48:13 pip sshd[27958]: Invalid user sergei from 184.105.177.21
Oct 18 10:48:19 pip sshd[27960]: User root from 184.105.177.21 not allowed
because not listed in AllowUsers

So, I am hoping I could get advice or suggestions on what further
protections I could add (if any).
- I don't think static firewall rules would help, as I am hoping to ssh
into my box from anywhere
- I am guessing there is a way to have automation block or slowdown
attempts if they begin to seem suspicious.

I am no sysadmin, but looks like I am gonna have to learn some sysadmin-ish stuff
if I want to prevent my system from getting compromised. That, or admit I am over my head, and abandon
trying to be able to ssh into my box and do stuff from the outside world.
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 11 comments