[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Blocking SSH attackers


I use denyhosts[1] with success. It adds the host in the file
/etc/hosts.deny after a specified number of login attempts (normal users
and root can you say different numbers)

[1] http://denyhosts.sourceforge.net/


Stephen R Laniel schrieb:
As with a lot of other people, I've noticed lots of attacks
on SSH recently. Just yesterday, my company got 1,611 failed
ssh logins within an hour.

Two questions, then -- one specific and one general:

1) What do y'all use to block attackers like this? It seems
   to me that anyone who tries to login with a nonexistent
   login name should be blocked immediately, for at least an
   hour. Anyone who tries to login as an account like root,
   and fails more than once, should be similarly blocked. I
   can imagine encoding certain 'block policies', and
   writing something based around hosts.deny that enforces
   it. Is there an accepted "best practice" that works like

2) I've recently moved from administering small networks of
   Linux machines, to administering a much larger load of
   them. I'm feeling kind of overwhelmed by the increased
   scale of my responsibilities, and the increased
   consequences if I mess something up. My sense is that
   when the network scales, one starts worrying about things
   like secure LDAP, preventing more determined attackers,
   putting /etc under source control, etc. And I wonder
   whether anyone's documented best practices for larger
   admin tasks such as these. Any pointers?

Thanks very much,

Reply to: