[nycbug-talk] Distributed ssh dictionary attacks

Jonathan jonathan at kc8onw.net
Wed Nov 26 11:48:26 EST 2008

Dan Colish wrote:
> On Wed, Nov 26, 2008 at 7:40 AM, Andy Kosela <akosela at andykosela.com
> <mailto:akosela at andykosela.com>> wrote:
>     On Wed, Nov 26, 2008 at 1:19 AM, Jonathan <jonathan at kc8onw.net
>     <mailto:jonathan at kc8onw.net>> wrote:
>     > Is anyone else seeing the usual ssh attacks go distributed?  I'm
>     seeing
>     > failed usernames from a large variety of address going by in a slow
>     > alphabetical list.  I guess I will have to actually change ssh to an
>     > alternate port to quiet the logs a bit :P  Anyone have any other
>     > suggestions or is that the best workaround these days?
>     I think we discussed this not so long ago on this list. pf(4),
>     sshd_config(5) or hosts_options(5) are usually my options. Also I
>     don't think it's very reasonable to open sshd(8) to the whole world,
>     just limit it to specific ip's/networks. In the worst scenario you can
>     even ignore this type of messages as I don't really think that they
>     can be successful if you follow strict guidelines on strong passwords
>     and disable root ssh access (which FreeBSD has as a default option).
>     But of course it's best to get rid of them.
> You should check out denyhosts. It will cut down on these attacks from a
> single ip because it blocks ips based on failed attempts. Just be sure
> to set the limit so you don't lock yourself out one day.

I would do that except the attack is highly distributed and very slow,
it's still trying usernames that start with "c".  I'll probably just do
the alternate port option as I can never be sure what address I'll be
coming from and can't filter based on that.

Thanks for taking the time to reply,

More information about the talk mailing list