| 1 |
> Yes, I see that on all our servers. Not much more than an annoyance unless |
| 2 |
> you have stupidly obvious passwords, but annoying for sure. On customer |
| 3 |
> servers that don't require access from the everywhere and anywhere I just |
| 4 |
> configure hosts.allow and hosts.deny to drop traffic from all but known |
| 5 |
> addresses, but this is of course not an option for a webserver or whatever. |
| 6 |
> |
| 7 |
> There have been lots of discussions on various lists about handling these |
| 8 |
> brute force ssh scripts, with various strategies for having iptables rules |
| 9 |
> limit login attempts after three unsuccessful attempts, but I've seen as |
| 10 |
> many "it didn't work for me" posts as "do it this way" and not being a |
| 11 |
> firewall guru, I've sat on the fence so far. |
| 12 |
> |
| 13 |
> I think the problem with just blacklisting IPs is that the list will just |
| 14 |
> grow and grow as these cretins move around all the time. |
| 15 |
> |
| 16 |
> Oh for a small incendiary device that could be targeted by IP address! ;-) |
| 17 |
|
| 18 |
I want one of those too!!! |
| 19 |
|
| 20 |
I realize that security experts cringe when I say this, but most of these |
| 21 |
automated attacks are pretty stupid and you can make yourself invisible to |
| 22 |
most of them by simply having ssh use a different port. I am not saying that |
| 23 |
doing so gives you any more security than leaving ssh at port 22 - especially |
| 24 |
against a determined cracker. You still need to apply appropriate security |
| 25 |
safeguards like firewall rules, host allow settings, good passwords or better |
| 26 |
yet password-less login, etc... But, it does significantly reduce the number |
| 27 |
of random brute-force attacks that you see. I personally went from seeing 20 |
| 28 |
or so of these a day to not having seen one in weeks. Low hanging fruit and |
| 29 |
all of that... |
| 30 |
|
| 31 |
Josh |
Archives