First of all thanks for your replies, guys! I'll try to answer to all of you in one (longer) response:
Dave Jones wrote: > > Daniel complained about the sshd messages, not iptables messages. > > I fully agree that he should implement pub/priv key authentication, but > even so, that will not prevent the flood of ssh messages in syslog. > > Adding an unlogged iptables DROP target rule for port 22 will suppress > the messages, but not the attacks. > > The botnet / script kiddie morons are a pain in the (anatomy of choice). > > Cheers, Dave > [OT Start] Couldn't agree more with this. I bet the most of those "hackers" wouldn't know what to do even if they get the password. ;-) Sometimes I need to log in that machine from unpredictable IP addresses and I don't have a memory stick with me all the time to keep my ssh key. So, I use keyboard auth. with several extra security measures: only 1 non-root user with very long name and password can log-in. This user gets "su - another-user" instead of real shell and as I said I have a script which checks every minute for auth. errors and blocks the corresponding IP addresses. So, I would say brute force won't work. Additionally I'll consider changing the default port as Mick advised. As Darren stated there is a possibility for someone to make DoS attack on the tar pit system. AFAIK it exploits exhausting the available RAM+swap of the tar pit machine. In my case I'm experimenting with an old box which serves no purpose therefore I (almost) don't care even if someone gets root prompt there. [OT End] On the subject: Dave, The dedicated tar pit machine has kernel "2.6.19-gentoo-r5", arch="x86". The patch applied OK as far as I can tell. I answered with "y" only to the "tarpit" patch. Additionally such a target appeared in the kernel config: >grep tarpit -i .config >CONFIG_IP_NF_TARGET_TARPIT=m I admit I didn't do "svn update". I didn't do "make clean" or "make mrproper" before patching either. Tomorrow I'll do the test again with fresh sources and report what happened. Bye and thanks again! -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
