Home > Mac administration, Mac OS X, Mac OS X Server > Checking for SSH dictionary attacks.

Checking for SSH dictionary attacks.

If you’ve got SSH open to the outside Internet, you’ve probably been attacked multiple times (even without your knowledge) by Bad People attempting to hack your box via SSH. On 10.4.9, the log that records the attempts is /var/log/secure.log. The command to poll the log for the attack is:

sudo grep “failed to auth” /var/log/secure.log | sed “s/^.* user \(.*\)\.$/\1/” | sort | uniq -c | sort -nr

I won’t go into the details, but here’s the lessons from my own server’s scan:

1. Use good passwords for your accounts. At least seven characters and toss in some numbers or symbols.
2. Disable access to root via SSH (disabling the root account would be even better.)
3. Don’t give names such as “test” or “test3” to your accounts. If you do, make sure the account password is really good.
4. If you’re on OS X Server, name your admin account something other than “admin”. If you must use “admin”, set access restrictions on SSH so that only non-admin accounts are accessible via SSH. You can always use su to change to the admin account once you’ve logged in.

Do I follow the four rules I just mentioned? Yep. Have I been hacked via SSH? Not yet, or at least not that I’m aware of.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: