Re: brute force ssh attempt mitigation

On Wed, Mar 31, 2010 at 7:21 AM, Christer Edwards
<christer edwards gmail com> wrote:
> I was reading through the Logwatch emails this morning (I know, I
> know, nobody is supposed to actually _read_ that stuff :D ), and I
> noticed ssh brute force attempts on just about every machine. I
> thought it'd be worth getting some discussion going regarding
> mitigating that. One example:
> ...[snip]...
>  Illegal users from:
> ( 423 times
> ...[snip]...
> I don't know what (or if) any discussion has happened in the past
> regarding this issue, but I always try to use denyhosts (or similar)
> on my public-facing machines. Is this something that we want to look
> into? Has it been discussed before? Pros? Cons?
> If the team is open to the idea I'd be happy to put it on my list.

It certainly is annoying, but ssh is configured to not allow password
authentication. All the bots are really doing is using up ssh
connections. Another thought might be to use iptables to ratelimit the
number of new connections to port 22 and just tarpit them. However
we'd have to be especially careful on as that could
really piss off rockstar contributors. Good attention to detail

Jeff Schroeder

Don't drink and derive, alcohol and analysis don't mix.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]