I use Denyhosts, and the ReportHackIsp plugin. After Denyhosts detects a brute force attempt and bans the IP it runs the ReportHackIsp plugin which determines who owns the IP address and emails their abuse department.
I like catching and reporting them but if you just want to stop them you can do things like change the default port, and set up key based authentication.
Like others, I too recommend moving ssh to a different port. You can also install denyhosts to automatically block anyone who is hammering on the server (although I suspect that if you move ssh to an alternate port, you'll find you're avoiding the majority of attempts.)
If you're concerned about having to specify the alternate port on the command line, you can add a line to your ~/.ssh/config to handle that for you.
> sshd(8): Support for tcpwrappers/libwrap has been removed.
Anyone using denyhosts, which includes me.
I have been meaning to either switch over to fail2ban, or just do iptables based rate limiting instead. That may have to move higher on my todo list.
The urgency for me though depends on whether 6.7 gets included in Debian Jessie. Jessie is close to a release freeze.
Hehh, I don't actually know. I was just making a dumb comment that didn't help you :(
Sorry. I'm not really a sysadmin per se, but I generally:
Route any and all network traffic through my router.
Use DenyHosts.
Don't allow a root login.
Take SSH logins on an obscure port.
I try to close any ports that I am not using on a regular basis.
I always read my logs too. Mostly I find nothing, but every now and then I find some interesting stuff.
I guess this goes without saying, but I'm going to say it anyway. Keep your machine(s) patched and your kernel(s) update.
I only root a small crappy home server that is an old desktop.
> where as you have to manually configure hosts.deny.
He's talking about DenyHosts, which is a log-monitoring active-response system like Fail2Ban.
Security is all about layers. Firewalling and intrusion-detection are not mutually-exclusive and both have a place in a properly-managed environment.
DBAN ALL the drives(http://www.dban.org/)!
Reinstall.
Stop using password authentication with SSH, use only public key authentication.
Install something like DenyHosts(http://denyhosts.sourceforge.net/).
And be sure to check all the clients that you use to connect to the server for malware.
Also, a 10 character password is rather short... https://xkcd.com/936/
I use denyhosts to automatically block the IP after several invalid attempts. I also use a plugin for denyhosts called report hack isp which automatically finds the abuse email address for the registered owner of the IP address and sends them an email reporting the hack attempt.
If you just want to make the hack attempts stop you can use a non standard SSH port and enable Google Authenticator for SSH.
If you're super paranoid you can do all of the above.
Consider installing denyhosts as an alternative to fail2ban, it includes a remote sychronized database feature that may prove useful. Has a very straightforward configuration file, fairly easy to install & setup. Have deployed it on many servers over the years with good results.
Note: I make every effort to programatically figure out if links originally posted to Reddit are still good, but it's difficult.
If the original URL doesn't work, or has been replaced with something else, please help out by searching the Wayback Machine for the URL and posting a contemporary link if you find one. There's also a Chrome Extension which makes this process easy.
I personally like Denyhosts. If someone fails so many times logging in their IP is auto denied. Our box was behind the campus firewall but now they are on a new system so we're exposed to the outside world. As soon as that happened I noticed bots probing our machine to see if they could get in. Also I have AllowUsers setup explicitly in my sshd_config file. In hindsight I wish I had set the ssh port to something different, but I don't want to do that now since all of our users can log in. Lastly the only port I have open to the outside world is the ssh one using firewall settings. Not sure on Ubuntu how to set that up. One CentOS I just used system-config-firewall-tui
Personally I really like Ubuntu but I hate Unity, so if I want a GUI I just install GNOME on a Ubuntu server install. I also like to install denyhosts (http://denyhosts.sourceforge.net/) this automatically blocks ip addresses that try brute force password attacks over ssh.
After you've succeeded in getting your SSH server visible externally, I'd strongly suggest taking a look at denyhosts:
http://denyhosts.sourceforge.net/
It's available in the Ubuntu repositories. It will scan the system log for failed login attempts and block IPs found to be causing a large amount of failures. You can optionally have the client contribute to a crowd-sourced list of IPs to proactively block known bad IPs.
About a year ago, repeated ssh login attempts, to either root (which was already blocked) or accounts that didn't exist, were a majority of the traffic to my server. I wasn't worried about anyone actually breaking in as they had never even tried an account that actually existed, but it seemed wrong to be wasting the bandwidth. I installed denyhosts and that cut down the volume considerably. I get around one address banned per day.
One time when I tried to connect with my cell phone on Verizon, at 30th and 9th in Manhattan, it was blocked by this scheme... I wonder if it was someone's cell phone that joined a botnet, or just some Verizon server?