As with a lot of other people, I've noticed lots of attacks on SSH recently. Just yesterday, my company got 1,611 failed ssh logins within an hour. Two questions, then -- one specific and one general: 1) What do y'all use to block attackers like this? It seems to me that anyone who tries to login with a nonexistent login name should be blocked immediately, for at least an hour. Anyone who tries to login as an account like root, and fails more than once, should be similarly blocked. I can imagine encoding certain 'block policies', and writing something based around hosts.deny that enforces it. Is there an accepted "best practice" that works like this? 2) I've recently moved from administering small networks of Linux machines, to administering a much larger load of them. I'm feeling kind of overwhelmed by the increased scale of my responsibilities, and the increased consequences if I mess something up. My sense is that when the network scales, one starts worrying about things like secure LDAP, preventing more determined attackers, putting /etc under source control, etc. And I wonder whether anyone's documented best practices for larger admin tasks such as these. Any pointers? Thanks very much, Steve -- Stephen R. Laniel steve@laniels.org +(617) 308-5571 http://laniels.org/ PGP key: http://laniels.org/slaniel.key
Attachment:
signature.asc
Description: Digital signature