Re: blacklisting failed ssh attempts
Josh Paetzel said: This may or may not help you, but I generally firewall ssh so that only known addresses can get in. (whitelisting as opposed to blacklisting) Thanks for the tip. We actually do this on some of our servers, but this is a web server that we need to get to quickly should it stop working. It's looking like I might just put ssh on a non-standard port and think about an IDS if there these kind of attacks continue. -- Charles Ulrich Ideal Solution, LLC - http://www.idealso.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
blacklisting failed ssh attempts
This morning I noticed that an attacker spent over a full hour trying to brute-force accounts and passwords via ssh on one of our machines. These kinds of attacks are becoming more frequent. I was wondering: does anyone know of a way to blacklist a certain IP (ideally, just for a certain time period) after a certain number of failed login attempts via ssh? I could change the port that sshd listens on, but I'd rather find a better solution, one that isn't just another layer of obscurity. Thanks! -- Charles Ulrich Ideal Solution, LLC - http://www.idealso.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: blacklisting failed ssh attempts
On Wednesday 01 December 2004 17:41, you wrote: This morning I noticed that an attacker spent over a full hour trying to brute-force accounts and passwords via ssh on one of our machines. These kinds of attacks are becoming more frequent. I was wondering: does anyone know of a way to blacklist a certain IP (ideally, just for a certain time period) after a certain number of failed login attempts via ssh? I could change the port that sshd listens on, but I'd rather find a better solution, one that isn't just another layer of obscurity. Thanks! This may or may not help you, but I generally firewall ssh so that only known addresses can get in. (whitelisting as opposed to blacklisting) -- Thanks, Josh Paetzel ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: blacklisting failed ssh attempts
On Dec 1, 2004, at 09:41, Charles Ulrich wrote: This morning I noticed that an attacker spent over a full hour trying to brute-force accounts and passwords via ssh on one of our machines. These kinds of attacks are becoming more frequent. I was wondering: does anyone know of a way to blacklist a certain IP (ideally, just for a certain time period) after a certain number of failed login attempts via ssh? I could change the port that sshd listens on, but I'd rather find a better solution, one that isn't just another layer of obscurity. I tried null routing their addresses and that stops that address. However, a day or so later they are back from a different address. After a couple months of this I changed the ports. Its a real pain. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: blacklisting failed ssh attempts
Charles, This shouldn't bother you unless your in the habit of using guessible passwords. However if you can't let it go I suggest you run sshd with the -i option, out of inetd. Of course you need a fast machine so that the server key is generated in a second or so (or lower your key length) Then replace inetd with xinetd and setup all the DoS stuff on that. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Charles Ulrich Sent: Wednesday, December 01, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: blacklisting failed ssh attempts This morning I noticed that an attacker spent over a full hour trying to brute-force accounts and passwords via ssh on one of our machines. These kinds of attacks are becoming more frequent. I was wondering: does anyone know of a way to blacklist a certain IP (ideally, just for a certain time period) after a certain number of failed login attempts via ssh? I could change the port that sshd listens on, but I'd rather find a better solution, one that isn't just another layer of obscurity. Thanks! -- Charles Ulrich Ideal Solution, LLC - http://www.idealso.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]