Re: howto block ssh brute-force

To: "Debian Security" <debian-security@lists.debian.org>
Subject: Re: howto block ssh brute-force
From: "alex black" <enigma@turingstudio.com>
Date: Sun, 12 Mar 2006 13:44:15 -0800 (PST)
Message-id: <[🔎] 53502.67.101.45.212.1142199855.squirrel@webmail.cloudcore.com>
In-reply-to: <[🔎] 1142199255.10415.5.camel@onet.hit.gemius.pl>
References: <[🔎] 385d1e010603112350g5c11a3b1ha21ed67f5e6e7e63@mail.gmail.com> <[🔎] 1142199255.10415.5.camel@onet.hit.gemius.pl>

Not that safe, some of those scanners to a portscan first looking for SSH.

I use the old tried-and-true "know who you want accessing the machine" and add those people/ips to hosts.allow, and deny everything else. Works like a charm, and just keep a public backdoor machine you can use to hop into your boxes from anywhere. I haven't had the slightest bit of noise in my logs for a while. :)

For cases where you have to provide SSH access to a random set of IPs, there are plenty of cute little IPtables hacks that add rules dynamically based on how many login attempts in (x) seconds. That usually work against the bulk of bots. Google SSH Brute force script..

I don't use port knocking because it's just a bit too much magic + annoyance, and the auto-blockers mentioned above seem fine.

good luck,

_a

> I'm changing ssh port to some high random number. This is quite easy,
> safe and generally blocks all automatic ssh scanners, but of course will
> not close the issue in all cases.

Reply to:

References:
- howto block ssh brute-force
  - From: "Felipe Figueiredo" <philsf@ufrj.br>
- Re: howto block ssh brute-force
  - From: Jaroslaw Tabor <jarek@srv.pl>

Prev by Date: Re: howto block ssh brute-force
Next by Date: Re: howto block ssh brute-force
Previous by thread: Re: howto block ssh brute-force
Next by thread: Re: howto block ssh brute-force
Index(es):
- Date
- Thread