Checking for SSH dictionary attacks.
If you’ve got SSH open to the outside Internet, you’ve probably been attacked multiple times (even without your knowledge) by Bad People attempting to hack your box via SSH. On 10.4.9, the log that records the attempts is /var/log/secure.log. The command to poll the log for the attack is:
sudo grep “failed to auth” /var/log/secure.log | sed “s/^.* user \(.*\)\.$/\1/” | sort | uniq -c | sort -nr
I won’t go into the details, but here’s the lessons from my own server’s scan:
1. Use good passwords for your accounts. At least seven characters and toss in some numbers or symbols.
2. Disable access to root via SSH (disabling the root account would be even better.)
3. Don’t give names such as “test” or “test3” to your accounts. If you do, make sure the account password is really good.
4. If you’re on OS X Server, name your admin account something other than “admin”. If you must use “admin”, set access restrictions on SSH so that only non-admin accounts are accessible via SSH. You can always use su to change to the admin account once you’ve logged in.
Do I follow the four rules I just mentioned? Yep. Have I been hacked via SSH? Not yet, or at least not that I’m aware of.