[nycbug-talk] Distributed ssh dictionary attacks
Jonathan
jonathan at kc8onw.net
Wed Nov 26 11:48:26 EST 2008
Dan Colish wrote:
>
> On Wed, Nov 26, 2008 at 7:40 AM, Andy Kosela <akosela at andykosela.com
> <mailto:akosela at andykosela.com>> wrote:
>
> On Wed, Nov 26, 2008 at 1:19 AM, Jonathan <jonathan at kc8onw.net
> <mailto:jonathan at kc8onw.net>> wrote:
> > Is anyone else seeing the usual ssh attacks go distributed? I'm
> seeing
> > failed usernames from a large variety of address going by in a slow
> > alphabetical list. I guess I will have to actually change ssh to an
> > alternate port to quiet the logs a bit :P Anyone have any other
> > suggestions or is that the best workaround these days?
>
> I think we discussed this not so long ago on this list. pf(4),
> sshd_config(5) or hosts_options(5) are usually my options. Also I
> don't think it's very reasonable to open sshd(8) to the whole world,
> just limit it to specific ip's/networks. In the worst scenario you can
> even ignore this type of messages as I don't really think that they
> can be successful if you follow strict guidelines on strong passwords
> and disable root ssh access (which FreeBSD has as a default option).
> But of course it's best to get rid of them.
>
> You should check out denyhosts. It will cut down on these attacks from a
> single ip because it blocks ips based on failed attempts. Just be sure
> to set the limit so you don't lock yourself out one day.
I would do that except the attack is highly distributed and very slow,
it's still trying usernames that start with "c". I'll probably just do
the alternate port option as I can never be sure what address I'll be
coming from and can't filter based on that.
Thanks for taking the time to reply,
Jonathan
More information about the talk
mailing list