1 |
> Yes, I see that on all our servers. Not much more than an annoyance unless |
2 |
> you have stupidly obvious passwords, but annoying for sure. On customer |
3 |
> servers that don't require access from the everywhere and anywhere I just |
4 |
> configure hosts.allow and hosts.deny to drop traffic from all but known |
5 |
> addresses, but this is of course not an option for a webserver or whatever. |
6 |
> |
7 |
> There have been lots of discussions on various lists about handling these |
8 |
> brute force ssh scripts, with various strategies for having iptables rules |
9 |
> limit login attempts after three unsuccessful attempts, but I've seen as |
10 |
> many "it didn't work for me" posts as "do it this way" and not being a |
11 |
> firewall guru, I've sat on the fence so far. |
12 |
> |
13 |
> I think the problem with just blacklisting IPs is that the list will just |
14 |
> grow and grow as these cretins move around all the time. |
15 |
> |
16 |
> Oh for a small incendiary device that could be targeted by IP address! ;-) |
17 |
|
18 |
I want one of those too!!! |
19 |
|
20 |
I realize that security experts cringe when I say this, but most of these |
21 |
automated attacks are pretty stupid and you can make yourself invisible to |
22 |
most of them by simply having ssh use a different port. I am not saying that |
23 |
doing so gives you any more security than leaving ssh at port 22 - especially |
24 |
against a determined cracker. You still need to apply appropriate security |
25 |
safeguards like firewall rules, host allow settings, good passwords or better |
26 |
yet password-less login, etc... But, it does significantly reduce the number |
27 |
of random brute-force attacks that you see. I personally went from seeing 20 |
28 |
or so of these a day to not having seen one in weeks. Low hanging fruit and |
29 |
all of that... |
30 |
|
31 |
Josh |