Some japanese dude is trying to gain access to my VPS

[Daiver]

Weird. I was checking the var/log/messages and I found several attempts of this address to log in via SSH: 221x250x182x163.ap221.ftth.ucom.ne.jp

It seems like he failed. Should I worry? How can I ban this address from accessing anything on my VPS?

[Daiver]

Just found another one: 61-218-113-90.hinet-ip.hinet.net He was trying to access to root.

More:

69.37.62.163.ded.snet.net
211.144.8.211
203.55.29.171
65.18.150.79 <-- This guy really hammered it
tsssns.tsnc.edu.cn

[Spathiphyllum]

You might want to start looking into the following:

/etc/hosts.allow
/etc/hosts.deny

or their similar analogue.

I won't define it explicitly because I don't want to be responsible for mucking up your server if you accidently open things up or lock yourself out.

My firewall is pretty secure (using these in a Redhat linux port) and could give you some pointers.

Basically, these are ascii files with various restrictions defined on each line. Something like this in /etc/hosts.deny:

Code:

ALL : ALL

and in /etc/hosts.allow:

Code:

sshd : ALL
ALL  : localhost
ALL  : 192.168.0.0/255.255.255.0

Obviously, this is a setup for a firewall with remote secure shell access, but you can see the format. You'd probably make a setting for sshd or similar service by allowing your localhost, its netblock at Jaguar, and your remote home address (or remote home ISP netblock) only to the exclusion of everyone else. Alternately, you could explicitly deny the offending address and leave the sshd daemon a bit more open. Without knowing the OS distribution, I can't offer more than this, and I'm probably giving you bad advice anyway. I'm just suggesting you browse the /etc directory for configuration files that look similar and then read up on securty tips from your core distribution.

Disclosure - I am not a certified sysadmin (IANACSa)

[Daiver]

Hi, thanks for the pointers. For the record, the VPS is running CentOS.

I was thinking about this during the day and I guess I would really want to set up a white list based on MAC Addresses or something similar. The problem is that I don't want to lock out the techies from Pakistan either.

Since the only people who need shell access is me and the tech support guys, leaving everyone else out would make it pretty secure.

I'm going to look into those files that you mentioned but probably won't change anything yet because I don't want to lock myself out, like you said.

Thanks!

[gerilya]

Just a few notes from another IANACSa:

/etc/hosts.deny and /etc/hosts.allow files have nothing to do with firewall. They contain information about access control that should be enforced by tcp-wrappers. That is, if a service available through Internet Superserver (inetd or xinetd - depending on your OS), it will obey access control rules. If it's a stand alone program running as a daemon, it might ignore these files altogether.

Another difference is that changing access control files shouldn't lock you out because such checks are performed only once when connection is established (vs. checking each IP packet as firewalls do). So you won't lose your existing SSH connections.

At last, if you want to make sure that you never lock yourself out, here is a tip:

backup files you are about to edit, create a script that restores these files from a backup, add reboot command at the end of that script and set it up to be executed by cron in 15mins. Now you have 15mins to make whatever changes you want. If all goes well, you just remove that cron entry when you are done. If you lock yourself out, whatever changes you did, will be reverted in 15 mins

[Daiver]

There's no way I'm going to do that. I wouldn't know where to start. I've been using Linux for a week now and haven't booted back into Windows.

The main reason for the switch was that I wanted to learn how to manage my VPS, but I'm starting slow due to time issues.