When I entered one of my server instances on DigitalOcean via ssh I was shocked to discover there were almost half-million unsuccessful login attempts. That was definitely a cracking attempt going on. And I must confess my setup was not the strongest. So here are the remedy options:
Just in case: Make sure you have non-ssh way of accessing your server console. DigitalOcean provides its own console to each Droplet. To get there: Click on your Droplet, Access, - big green button "Launch Console". Once you get to your box via non-ssh console (aka VNC), you are free to experiment because you do not depend on the ssh as your only life-line anymore.
Now, from the VNC terminal, logged in as root, you may stop the sshd - an attacker won't be able to brute force a service which is not running.
sudo service sshd stop - DO NOT DO THIS COMMAND UNLESS YOU HAVE NON-SSH ACCESS.
If you've got an attack on a particular user name, then disable password access for that user, make it auth-key only, and limit number of access attempts.
Better yet, create a new user instead, with less trivial name for the future access, so it has less chance of being in attacker's dictionary.
Edit sshd config as necessary
/etc/ssh/sshd_config
-
To slow them down you may also throttle auth requests in the firewall, e.g. iptables.
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-N SSHATTACK
-A SSHATTACK -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --dport 80 --state NEW -m tcp -j ACCEPT
-A INPUT -p tcp -m state --dport 22 --state NEW -m recent --set
-A INPUT -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 120 --hitcount 4 -j SSHATTACK
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Useful links:
- http://serverfault.com/questions/275669/ssh-sshd-how-do-i-set-max-login-attempts
- http://serverfault.com/questions/470287/how-to-enable-iptables-instead-of-firewalld-services-on-rhel-7-and-fedora-18
Views: 856 |
Added by: ep |
Date: 2017-01-30
|
|
I have CentOS 7.0 iso set used as CD/DVD in VMWare, and wanted to use the image as the source to install rpms to my VMWare instance. It appeared quite easy to do:
- Even though the iso is used as the CD/DVD in the virtual machine and is "inserted", you still have to mount on the CentOS:
sudo mount -t iso9660 /dev/sr0 /mnt
- Now create a repo file in /etc/yum.repos.d/. E.g. sudo vi /etc/yum.repos.d/CentOS-Media.repo:
[CentOS-Media]
name=CentOS-Media
baseurl=file:///mnt/
enabled=1
- You may have to clean all the caches to make sure the new repo is hooked up properly:
sudo yum clean all
That is pretty much it, yum shall be able to pick up your "CD/DVD" iso just as the other repositories.
Views: 934 |
Added by: ep |
Date: 2017-01-29
|
|
|