Stirling Westrup wrote: > Lately I've been noticing a large number of dictionary attacks against > my ssh port. That port is DNAT'ed to an internal webserver that hosts a > number of domains. The owners of those domains regularly login via ssh > to work on their sites. > > My LEAF box (an old 486 machine) sees the incoming ssh connection > attempts and routes them to the webserver, which rejects them for having > bad passwords. > > So, what is the best recommended defense? Ideally, I would like to find > something like portsentry that could sit on the LEAF box, see the > excessive connections from one address and automatically drop it into my > shorewall blacklist. However, I'm not sure how to go about doing this, > or what LEAF tools are available. Any recommendations?
There are two parallel lines of defense: a) Configure sshd to only accept shared rsa keys for authentication. That way, dictionary attacks can *never* succeed. b) Use the 'Limit' Shorewall action to shut off ssh connection requests from persistent unsuccessful clients (see http://www.shorewall.net/PortKnocking.html). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
