On 02/06/2008, at 9:36 PM, Darryl Barlow wrote:
The compromise occurred over the Christmas/New Year period when I was
interstate. The server had ssh access enabled via password entry
and fell
victim to a brute force password attack. Fortunately I had software
installed which alerted me to the problems. ... (But I
also noted with interest the recent bug in Debian systems when
generating
keys, which would have made even this method insecure on these boxes).
you rarely need to ssh into a box 120 times a minute, so I rate limit
my ssh
connections to 2 a minute with iptables. This stops (dare i say) all
automated
brute force attacks, when ssh starts timing out, the bots move on.
Won't stop a
person, though will slow them down to a crawl.
There's other things like fail2ban, using a non standard port.
Perhaps blocking
any ip that knocks on the standard port. But these measures will only
stop bots.
If someone is determined, they will just change hosts/ip's and
continue the attack.
Michael Chesterton
http://chesterton.id.au/blog/
http://barrang.com.au/
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html