[nycbug-talk] Distributed ssh dictionary attacks

Dan Colish dan at radiusim.com
Wed Nov 26 08:57:27 EST 2008


On Wed, Nov 26, 2008 at 7:40 AM, Andy Kosela <akosela at andykosela.com> wrote:

> On Wed, Nov 26, 2008 at 1:19 AM, Jonathan <jonathan at kc8onw.net> wrote:
> > Is anyone else seeing the usual ssh attacks go distributed?  I'm seeing
> > failed usernames from a large variety of address going by in a slow
> > alphabetical list.  I guess I will have to actually change ssh to an
> > alternate port to quiet the logs a bit :P  Anyone have any other
> > suggestions or is that the best workaround these days?
>
> I think we discussed this not so long ago on this list. pf(4),
> sshd_config(5) or hosts_options(5) are usually my options. Also I
> don't think it's very reasonable to open sshd(8) to the whole world,
> just limit it to specific ip's/networks. In the worst scenario you can
> even ignore this type of messages as I don't really think that they
> can be successful if you follow strict guidelines on strong passwords
> and disable root ssh access (which FreeBSD has as a default option).
> But of course it's best to get rid of them.
>
> --
> Andy Kosela
> ora et labora
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>


You should check out denyhosts. It will cut down on these attacks from a
single ip because it blocks ips based on failed attempts. Just be sure to
set the limit so you don't lock yourself out one day.

--Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081126/bf25d330/attachment.htm>


More information about the talk mailing list