> Yes, I see that on all our servers. Not much more than an annoyance unless > you have stupidly obvious passwords, but annoying for sure. On customer > servers that don't require access from the everywhere and anywhere I just > configure hosts.allow and hosts.deny to drop traffic from all but known > addresses, but this is of course not an option for a webserver or whatever. > > There have been lots of discussions on various lists about handling these > brute force ssh scripts, with various strategies for having iptables rules > limit login attempts after three unsuccessful attempts, but I've seen as > many "it didn't work for me" posts as "do it this way" and not being a > firewall guru, I've sat on the fence so far. > > I think the problem with just blacklisting IPs is that the list will just > grow and grow as these cretins move around all the time. > > Oh for a small incendiary device that could be targeted by IP address! ;-)
I want one of those too!!! I realize that security experts cringe when I say this, but most of these automated attacks are pretty stupid and you can make yourself invisible to most of them by simply having ssh use a different port. I am not saying that doing so gives you any more security than leaving ssh at port 22 - especially against a determined cracker. You still need to apply appropriate security safeguards like firewall rules, host allow settings, good passwords or better yet password-less login, etc... But, it does significantly reduce the number of random brute-force attacks that you see. I personally went from seeing 20 or so of these a day to not having seen one in weeks. Low hanging fruit and all of that... Josh
pgptWLFCiFtUb.pgp
Description: PGP signature