Seems my ssh client is being brute forced from several places (stockholm, india, taiwan). So in addition to adding in the necessary precautions (keys for ssh, fw rules) i'm trying to install snort.

Currently the installer seems unhappy w/ pcre even though i have the pcreposix for whitebox installed. Anyone else get snort on the whitebox distro?

Hello,

I've no info on using snort, but how did you spot the brute-force attack? What logs where you monitoring?

Dave.

I was looking into the ports on the system an noticed two connections open for sshd, mine and another (netstat -la). Did a top, no other shell had been spawned, did a last, nobody but me in the system as of late. Went to /var/log/secure and noticed a failed login attempt on sshd for tons of various users coming from stockholm w/ intermittent attempts to guess root.

I blocked that IP at the firewall, and another started up a little later from Taiwan. Same scenario, moved to India, etc.

I'll post some samples from the log file a little later if i remember.

I checked secure file in /var/log and I noticed my VPS is being attacked too. I am sure if others check that they would notice attacks in their VPSes. I hope Rimu can give us a tool to block this sort of attacks. I guess snort is one of these tools. Can someone give info on some of the tools that can be used and their suceess on Rimu VPSes.

There are many people and infected servers out there that will try to connect to your server via SSH. For them to be successful they will need to know your username and password.

If you have good, strong passwords on each of your user accounts there is little risk of being compromised.

Some users use public/private key authentication to connect to their servers. These users can even turn off passwords on their sshd server.

If you wish you can also report the IP of the machine trying to hack into your server to the responsible ISP. You can use http://whois.sc/ to determine who that is.

I've been noticing this a lot lately too.

This might be really obvious, but: One of the first things I did was limit ssh connections to usernames that actually need ssh. I found that, for what I'm doing, I only really needed 3 usernames in my "allowed users" ssh list.

I wish I had static IPs at home, though, because I would feel much better limiting root connections to those IPs.

You can use LogWatch to send an email every night detailing suspicious log entries... I see the SSH attempts, spam relay attempts, etc that come through in this mail.