Re: brute force ssh attempt mitigation

From: Jeff Schroeder <jeffschroed gmail com>
To: Christer Edwards <christer edwards gmail com>
Cc: gnome-infrastructure gnome org
Subject: Re: brute force ssh attempt mitigation
Date: Wed, 31 Mar 2010 15:29:31 +0100

On Wed, Mar 31, 2010 at 7:21 AM, Christer Edwards
<christer edwards gmail com> wrote:
> I was reading through the Logwatch emails this morning (I know, I
> know, nobody is supposed to actually _read_ that stuff :D ), and I
> noticed ssh brute force attempts on just about every machine. I
> thought it'd be worth getting some discussion going regarding
> mitigating that. One example:
>
> ...[snip]...
>  Illegal users from:
>   71.43.151.229 (rrcs-71-43-151-229.se.biz.rr.com): 423 times
> ...[snip]...
>
> I don't know what (or if) any discussion has happened in the past
> regarding this issue, but I always try to use denyhosts (or similar)
> on my public-facing machines. Is this something that we want to look
> into? Has it been discussed before? Pros? Cons?
>
> If the team is open to the idea I'd be happy to put it on my list.

It certainly is annoying, but ssh is configured to not allow password
authentication. All the bots are really doing is using up ssh
connections. Another thought might be to use iptables to ratelimit the
number of new connections to port 22 and just tarpit them. However
we'd have to be especially careful on git.gnome.org as that could
really piss off rockstar contributors. Good attention to detail
however.

-- 
Jeff Schroeder

Don't drink and derive, alcohol and analysis don't mix.
http://www.digitalprognosis.com

Follow-Ups:
- Re: brute force ssh attempt mitigation
  - From: Christer Edwards

References:
- brute force ssh attempt mitigation
  - From: Christer Edwards

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]