[nycbug-talk] Distributed ssh dictionary attacks

Andy Kosela akosela at andykosela.com
Wed Nov 26 07:40:51 EST 2008


On Wed, Nov 26, 2008 at 1:19 AM, Jonathan <jonathan at kc8onw.net> wrote:
> Is anyone else seeing the usual ssh attacks go distributed?  I'm seeing
> failed usernames from a large variety of address going by in a slow
> alphabetical list.  I guess I will have to actually change ssh to an
> alternate port to quiet the logs a bit :P  Anyone have any other
> suggestions or is that the best workaround these days?

I think we discussed this not so long ago on this list. pf(4),
sshd_config(5) or hosts_options(5) are usually my options. Also I
don't think it's very reasonable to open sshd(8) to the whole world,
just limit it to specific ip's/networks. In the worst scenario you can
even ignore this type of messages as I don't really think that they
can be successful if you follow strict guidelines on strong passwords
and disable root ssh access (which FreeBSD has as a default option).
But of course it's best to get rid of them.

-- 
Andy Kosela
ora et labora



More information about the talk mailing list