As with a lot of other people, I've noticed lots of attacks
on SSH recently. Just yesterday, my company got 1,611 failed
ssh logins within an hour.
Two questions, then -- one specific and one general:
1) What do y'all use to block attackers like this? It seems
to me that anyone who tries to login with a nonexistent
login name should be blocked immediately, for at least an
hour. Anyone who tries to login as an account like root,
and fails more than once, should be similarly blocked. I
can imagine encoding certain 'block policies', and
writing something based around hosts.deny that enforces
it. Is there an accepted "best practice" that works like
this?
2) I've recently moved from administering small networks of
Linux machines, to administering a much larger load of
them. I'm feeling kind of overwhelmed by the increased
scale of my responsibilities, and the increased
consequences if I mess something up. My sense is that
when the network scales, one starts worrying about things
like secure LDAP, preventing more determined attackers,
putting /etc under source control, etc. And I wonder
whether anyone's documented best practices for larger
admin tasks such as these. Any pointers?
Thanks very much,
Steve