Paul Hartman wrote:
On Wed, Dec 3, 2008 at 2:16 PM, Nikos Chantziaras <[EMAIL PROTECTED]> wrote:
Steve wrote:
[...]
Sure, I could use IPtables to block all these bad ports... or... I could
disable password authentication entirely... but I keep thinking that
there has to be something better I can do... any suggestions?
I'm using DenyHosts to battle this. It adds the IPs to /etc/hosts.deny
after a configurable amount of failed logins. It even downloads an online
list of IPs where attacks originate from and uploads attacks to your box to
this list too (if you allow it in the configuration).
After I installed this, no more brute-forcing :) I used to have thousands
per day.
http://www.denyhosts.net
It's in portage.
The big botnet attacks are doing no more than 2 login attempts per IP,
making stuff like denyhosts hard to use (unless you set it to ban
after 1 login attempt, but that'll catch real users who make a typo)
In that case, changing the SSH port to something unlikely (I use one
above 30000) should be sufficient :P
