> -----Original Message----- > From: Dave McCammon [mailto:[EMAIL PROTECTED] > Sent: Friday, October 08, 2004 4:46 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: Protecting SSH from brute force attacks > > > > --- Vulpes Velox <[EMAIL PROTECTED]> wrote: > > > On Thu, 7 Oct 2004 15:15:25 -0700 (PDT) > > Luke <[EMAIL PROTECTED]> wrote: > > > > > There are several script kiddies out there hitting > > my SSH server > > > every day. Sometimes they attempt to brute-force > > their way in > > > trying new logins every second or so for hours at > > a time. Given > > > enough time, I fear they will eventually get in. > > > Is there anything I can do to hinder them? > > > > > > I'd like to ban the IP after 50 failed attempts or > > something. I'd > > > heard that each failed attempt from a source was > > supposed to make > > > the daemon respond slower each time, thus limiting > > the usefulness of > > > brute force attacks, but I'm not seeing that > > behavior. > > > > I forget where in /etc it is, but look into setting > > up something that > > allows a certian number of failed logins before > > locking that IP/term > > out for a few minutes.... and if it is constantly > > from the same place > > look into calling their ISP or the like. > > > > Or in a few cases, like I have done in a few cases, > > and a deny from > > any to any for that chunk of the net... > > > > man login.conf for more info :) > > _______________________________________________ > > Following the advice from here: > http://isc.sans.org//diary.php?date=2004-09-11. > > What I did was to only allow access to one machine > through my firewall for the ssh connections (ipfw > limit). 2 per source address. > And, for that one machine, I changed the sshd port to > a different number. > I was getting the same brute force attacks but they > have dropped to nil since. > > I run my public sshd in a jail and close all other ports. I also delete every binary minus the tools needed to ssh into the host and other jails I have setup. I ssh to my jail ip's internally and nat ports as needed from the external. I am pretty secure even if they do gain access to the public sshd, and I think once they do if ever break into that, the box is fairly well still secure.
> > > > _______________________________ > Do you Yahoo!? > Declare Yourself - Register online to vote today! > http://vote.yahoo.com > _______________________________________________ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"