Quick info. Have a managed VPS. Security was installed, I setup to send me brute force attempt emails. Below is a short example:


Oct 11 03:09:03 host sshd[27797]: Invalid user test from 58.177.250.178
Oct 11 07:09:05 host sshd[27803]: Failed password for invalid user test from
58.177.250.178 port 50471 ssh2
Oct 11 03:09:05 host sshd[27797]: Failed password for invalid user test from
58.177.250.178 port 50471 ssh2
Oct 11 07:09:06 host sshd[27803]: Received disconnect from 58.177.250.178: 11:
Bye Bye
Oct 11 03:09:07 host sshd[27847]: Invalid user test from 58.177.250.178
Oct 11 03:09:10 host sshd[27847]: Failed password for invalid user test from
58.177.250.178 port 50544 ssh2
Oct 11 07:09:10 host sshd[27849]: Failed password for invalid user test from
58.177.250.178 port 50544 ssh2
Oct 11 07:09:10 host sshd[27849]: Received disconnect from 58.177.250.178: 11:
Bye Bye


Now I'm pretty new to the Admin side of linux so I don't fully understand something and hope someone can explain. Unless I'm mistaken sshd[27797], sshd[27803], and sshd[27849] for example are three different SSH ports this person tried to connect to for SSH.

My Host and others say for Brute force the best thing to do is change the port from 22 to something else. I know how to do that and can...

What I don't understand is how that would help. Unless I'm reading something wrong in all the logs I don't see where they tried to connect to 22.

Feedback appreciated.

Hello there and welcome to LQ. Hope you like it here.

Have a managed VPS. Security was installed
What exactly was installed that enhances security?


sshd[27797], sshd[27803], and sshd[27849] for example are three different SSH ports this person tried to connect to for SSH.
No, the [27797] is a notation for a process ID or short "PID" of the child of sshd (the SSH daemon).


My Host and others say for Brute force the best thing to do is change the port from 22 to something else. I know how to do that and can... What I don't understand is how that would help. Unless I'm reading something wrong in all the logs I don't see where they tried to connect to 22.
Just disregard people that tell you to change ports: it does not enhance security one bit (or maybe it does in some parallel universe where statistics overrule reality). Start by tightening your sshd_config (no root, passphrases instead of passwords, only Protocol 2, only allowed users). If SSH is only used for admin purposes you can put in firewall rules + tcp_wrappers so it's only accessable from your management IP addresses or ranges. With that in place read the sticky Failed SSH login attempts thread and pick one method to implement.

Ah, thanks for the info. Thought that "sshd[27797]" was a random port they were trying.

For purposes I only use for admin / some site management and all accounts are mine so only I need access. I briefly looked over that thread before posting this, but will look into it further. Not sure on how to do a few things you mentioned but 9/10 it was already posted so I'll check first.

As far as security this is what was done by default:

Going to look into that thread. Thanks for the site welceom. Lots of info here

APF BFD SIM PRM LES NSIV SPRI
For those with low TLA/FLA-fu:
APF (Advanced Policy Firewall)
BFD (Brute Force Detection)
SIM (System Integrity Monitor)
PRM (Process Resource Monitor)
LES (Linux Environment Security)
NSIV (Network Socket Inode Validation)
SPRI (System Priority)

* I suggest installing a file integrity checker like Aide or Samhain RSN since your install is still relatively "fresh".
Next to that Monit could replace (way more configurable, faster) SIM, PRM and NSIV. GRSecurity or SELinux overrule LES and NSIV by a mile w/o making a system non-standard wrt DAC rights and extended attributes (easier troubleshooting, easier on updates). If you're an RFX Fan for Life just disregard it but you can't miss the main portion of the code was written between 2002 and 2005 (AFAIK) and maybe you already have been told: "please be aware this is not a silver bullet, and these do not prevent exploits of services you do run." before you signed up for installing those. While I agree OTS tools can do a great job in quickly providing (a sense of) security, you *do* have to configure and maintain them periodically to be effective (for instance LES by default knows wget but doesn't know Perl-libwww's GET).
It's a continuous process, no Fire and Forget here.


5. /tmp hardening.
Mounting it "noexec,nosuid,nodev" is good but won't spare you if you run vulnerable or obsolete versions of PHP-based apps. Spam piggybacking on LAMP does no longer seem to require root account privileges (check out those "I got hacked" threads here). Enhancing security for /tmp could be done by adding 1) SELinux, 2) GRSecurity (TPE), 3) some kind of Dnotify, FAM or other syscall interception gizmo or 4) a wickedly fast malware-seeking cronjob ;-p


Just my thoughts.

Was able to get this fixed with the help given. Thanks for that. Was away for a lil.

Will look into the other things that you mentioned