Linux/ssh server bruteforce

= SSH Service under brute-force attack = Keeping a list of username and IPs, so I can share with others... what you should NOT do and WHY you should protect your SSH Server First rule/best-practice/recommendation is to change the default TCP/22 ssh port to use something different. If that is not possible, then you will need take some measures to prevent ssh brute-force attacks Have a look on the username in the list, and have a thought, if you use this "pattern" of username, make sure the password is a strong one, or even better... don't use password at all and use certificates

Filtering Usernames from the lastb log

 * SSH brute force-attach - command to check the user names used on the brute-force attack and how many times they were used

lastb -Fw | sed s/'ssh:notty'/''/ | cut -f 1 -d " " | sort | uniq -c | sort -rn


 * 1) works better with awk command

lastb -Fw | awk -F" " '{print $1}' | sort | uniq --count | sort -nr

Filtering Source in from the lastb log

 * SSH brute force-attack - checking the source IPs

lastb -Fwi | awk -F" " '{print $3}' | sort | uniq --count | sort -nr

Information from the Logs file regarding brute-force attacks on the ssh port tcp/22

 * From logs on the : Linux/ssh_server_bruteforce/2013-10


 * From logs on the : Linux/ssh_server_bruteforce/2013-04