I logged in to my VPS this morning to find that there were several (failed) login attempts from a single IP address. It looks like they were just using several common usernames (apache, root, sales, etc...) and blasting a passwords at each.

Is there an official way to handle something like this? Should I just add them to hosts.deny, or are there further steps that would benefit others as well? I'm relatively new to running a server like this.

Thanks for any suggestions you can give. A quick search on Google only turned up links to specific ISP and hosting abuse report pages.

Here is a good thread regarding SSH hack attempts:

http://www.tektonic.net/forum/index.php/topic,126.0.html

I solved the problem by disabling password authentication altogether and only using public key authorization. The hackers can bang away at ssh all they want, but even if they manage to guess the right password, ssh still won't let them in. :D

Make sure these options are in your sshd_config file to turn off password auth...

PasswordAuthentication no
ChallengeResponseAuthentication no

I leave UsePAM set to yes, but you can change it to no if you don't want to have ssh use pam for anything.

Thanks for the link matta, very helpful.

Isn't there a program that will log these attempts, look up the ISP and email the log with the Ip's to the abuse email of the ISP? I know it's basically pointless but in my opinion 1 in 1000 with an action is worth it as it is automatically generated. Anyone know the name of the application ?

[QUOTE=devnu11]Isn't there a program that will log these attempts, look up the ISP and email the log with the Ip's to the abuse email of the ISP? I know it's basically pointless but in my opinion 1 in 1000 with an action is worth it as it is automatically generated. Anyone know the name of the application ?[/QUOTE]

I'm not sure that'd be such a good idea because most of these marchines are probably zombies, and so emaililng the ISP won't help much. Or they could be spoofed ip addresses...

Following the suggestions in the link is a good idea...especially the bits about disabling root, and creating a whitelist of users to allow.

An option they skipped over was setting the MaxStartups to use "random early drop." From man pages:


MaxStartups

Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.,
"10:30:60"). sshd will refuse connection attempts with a proba-
bility of ``rate/100'' (30%) if there are currently ``start''
(10) unauthenticated connections. The probability increases lin-
early and all connection attempts are refused if the number of
unauthenticated connections reaches ``full'' (60).


I have mine at 5:15:30, and it greatly reduces the amount of time a hostile bot can pound the system...It doesn't do much for how many actual bots I'm getting, but it won't allow them to hit me as long...

I was a little off on my explanation of emailing the ISP in my above post. I did some research where I originally read the thread months ago and found what I was referring to was APF and BFD from efxnetworks. Its a firewall and bruit force detector that work together to secure your system. It will email you and let you know there was an attack or security breach attempt and will automatically make adjustments in the firewall to protect against and block the attacker. There is also an antidos plugin for ddos attacks. It looks like something I'm going to try out.

For those wondering, these programs live here (http://rfxnetworks.net/proj.php)...

If you do try this out, let me know how it goes. I've been using logcheck to email any anomalies in my system logs since the beginning, but have been going back and forth about automatic blocking scripts for varoius reasons--spoofed IP addresses, false positives, fake sense of security, etc etc...

Advice: Don't forget to make sure you can still access your machine!