You can use your logs as a "poor mans" honey pot.
Review your logs and modify the following awk command to suit your needs. The exact syntax will vary depending on your authentication (passwords or keys) and server.
Debian:
awk 'gsub(".*sshd.*Invalid.*user", "") {print $1}' /var/log/auth.* | sort | uniq
Fedora:
awk 'gsub(".*sshd.*userauth.*user", "") {print $1}' /var/log/secure* | sort | uniq
If you are not familiar with awk, gsub is matching and substituting part of your log so that {print $1} is a user name. See an online awk guide for details.
A sample line from Debian log file is:
Jul 26 19:45:32 Debian sshd[18302]: Invalid user oracle from 211.137.134.74
A sample line from a Fedora log file is:
Jul 27 15:34:43 Fedora sshd[7546]: input_userauth_request: invalid user root
I cross-compiled a list of the users my ssh logs have seen over the last year or so ...
23-164-111-65 admin alias ant anthony bin bureau cote david db2inst1 fluffy guest httpd jasmin laura nagios office oracle pc postgres prueba recruit root sales samba staff teamspeak test ts webmaster wwwadmin
Now obviously some of these names are going to be unique, but, the list should give you an idea of what users to block. Add one of the options below to /etc/ssh/sshd_config and re-start (or reload) your (ssh) server.
Black list
Blacklist common user names used by "script kiddies"
DenyUsers admin guest http httpd nagios office oracle postgres root sales samba staff webmaster wwwadmin
White list
Of course an easier method is it use a white list. If you white list allowed users, users not on the list are by definition black listed (if a user is not on your white list they can not log in via ssh).
AllowUsers user_1 user_2
Just make sure none of the allowed user is on the above black list and be sure to monitor your logs ;)
Black list ip addresses
If you examine that awk command I used above, and you look at your logs, you can generate a list of ip addresses to black list if you desire. IMO this is not as helpful as it is rather trivial to change an ip address, and the list ip list becomes long ...
Alternates
Obviously you can use other tools to secure ssh such as ssh keys, TCPWrapper , denyhosts, and fail2ban.
You could also do, if you log rotate and compress (for the gzipped files):
zcat auth.log*.gz | awk 'gsub (".*sshd.*Invalid.*user", "") {print $1}' | sort | uniq
Hi,
I use this simple iptables rules for ssh. Maybe not so good as fail2ban but easier to deploy
-A INPUT -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH
-A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60
–hitcount 5 –rttl –name SSH -j ULOG –ulog-prefix SSH_brute_force
-A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60
–hitcount 5 –rttl –name SSH -j DROP
-A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -j ACCEPT
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
5 attemps ssh connection / min , and block a min if fail.
Drop most of the ssh scan
Ghislain
@legribou Aye, I use a similar set of rules, thank you for posting yours. You may need to be a bit more liberal if you use scp.
@Scott Thank you for taking the time to leave that tip as well.
Absolutely, I forgot to add to the first comment, but great post!