Originally Posted by Vector
Yeahhhhh.... that would have been me; and that's not something i normally do. Lesson learned.
Not that I haven't done things considerably dumber, but you need a good beat-down for that one.
I know, i see this all the time in my server logs. But afaik a successful dictionary attack IS a hack, technically speaking?
What I typically see is that a script kiddie will try 15 or 30 easy passwords for a few obvious account like root. Maybe you saw a more tenacious hacker, but the security log also shows the number of failed tries.
I'll have to look into that; that's new to me
Dead easy just add this to /etc/ssh/sshd_config, then restart the sshd service.
Then vector and stevea are the ONLY uses able to ssh authenticate. Every script-kiddie knows there is a root and a bin account, but that won't spend hours trying non-obvious names. NEVER put a name on that list of anyone likely to set a simplisitic passwd. If you need root then login as vector and use "su -" or sudo. Use this in addition to key only logins then the "password too simple" problem disappears.
Originally Posted by pete_1967
Since stevea already mentioned key based authentication, no need to repeat that, just to make one thing clear: denying root logins does not prevent user from logging in to system as root, it only prevents user from logging in as root via ssh (ssh root@domain). If they guess user password, they can login as usual and then start cracking root's password on machine itself. Makes it bit harder but far from impossible to get root access.
There are lots of tutorials on setting up ssh key based authentication:
*AFTER* yo uhave key based authentication working do this to the server sshd_config
If you do that then opening port 22 won't even give you a login prompt. No one will guess your 2048 bit key in less than a million years.
If you want extra security, setup host based authentication so the system will only recognize attempts to login from well known hosts (you have to copy the client host public key (not user key) to the server. That takes more work tho'.
There is also something called singe packet authentication - (unrelated to ssh). I can't explain how here - but the point is you can firewall all ports except the magic-packet UDP port. If the server receives the "magic packet" then it opens port 22 for a few minutes. and you have a short window to ssh by key.
The magic packet is typically a shared key encrypted message with a time stamp - so this prevents replay attempts. Your magic packet is only good for a few seconds.