[nycbug-talk] Distributed ssh dictionary attacks

Thomas thomas at zaph.org
Wed Nov 26 11:05:30 EST 2008


* Jonathan <jonathan at kc8onw.net> [2008-11-25 19:19:15+0000]:
> Is anyone else seeing the usual ssh attacks go distributed?  I'm
> seeing failed usernames from a large variety of address going by in a
> slow alphabetical list.

Yup, logwatch(1) mailed me the same thing from my logs this morning.

This problem comes up fairly regularly here. The usual suggestion is to
do one or more of the following:

    - change your ssh port number

    - set "AllowUsers" to only let in certain users

    - use an application-level script like DenyHosts to watch for stuff
      like this and block offending IPs

    - use firewall-level filtering as found in pf, et al. to watch for
      stuff like this and block offending IPs

    - do nothing

>From what I have seen the most common option chosen by far is the last
one.

Thomas



More information about the talk mailing list