what to do when attacked

[tim]

I'm in another state working, away from my home farm. I've got my hardware firewall at home set up to let ssh queries be routed to one machine, from that one I can check on the progress of the whole farm, kill and restart processes, reboot, whatever I need to do to tend the farm.

I browsed the auth.log file on my ssh server machine and found tons of attempts at access, with lists of usernames and root with them having no luck. I don't know much about security, other than don't use telnet and have secure passwords. Other than disable ssh access, is there anything I can do to stop this? I'm not too worried about them guessing my passwords, but isn't it eating up cpu cycles to answer constant access queries?

[Bok]

Only thing you can do is block the ip address on your firewall.

I do exactly the same thing (except my firewall is an OpenBSD box) and I get those attacks all the time

Bok

[tim]

Sounds like having your firewall as a box gives you more flexibility. I don't think my hardware one has it in the firmware.

In auth.log, it gives the ip for the failed attempt at access as my own ip on the internet. Maybe that's because it comes through my router/firewall? The firewall itself will log some things like http attempts or ip spoofing, but not ssh accesses. Is there a log file that has the ip of the attempted access?

[tim]

I found a good thread,
http://www.linuxquestions.org/questi...5&pagenumber=1
and one thing I got out of it was to turn off root access to ssh by going to /etc/ssh/sshd_config and setting PermitRootLogin no. I also put LoginGraceTime to 10 instead of 120 (maybe that doesn't matter), put AllowUsers to just me, and changed the LogLevel to VERBOSE. That might help get more info on the culprits. More than that I didn't understand much. It was a good thread. What they were describing is exactly what I'm seeing, even though the thread was more than a year old.