[nycbug-talk] SSH attacks
Steven Kreuzer
skreuzer at exit2shell.com
Wed Sep 10 17:00:30 EDT 2008
N.J. Thomas wrote:
> * Andy Kosela <akosela at andykosela.com> [2008-09-10 19:38:47+0000]:
>
>>> Hey, is anyone else seeing an upsurge in distributed SSH attacks over
>>> the past week or two?
>>>
>> The best defense against such attacks is just to allow SSH connections
>> only for specific hosts/subnets.
>>
>
> Another good suggestion is to use the "AllowUsers" option in
> /etc/ssh/sshd_config to permit only specified users to log in. Useful if
> you run a server where only a small number of users are allowed to log
> in.
>
> Thomas
>
While AllowUsers is a very valuable layer of security, the problem with
these ssh brute force attacks is that
your logs get spammed with failed connection attempts.
Whats even worse is if you are getting hit very hard, your machine will
start to become unresponsive because of the amount
of failed connection attempts that need to be written to disk.
Your only real options are to drop the connection or move the port ssh
is listening on.
SK
More information about the talk
mailing list