* Stephen R Laniel schrieb am 31.10.05 um 18:08 Uhr: > As with a lot of other people, I've noticed lots of attacks > on SSH recently. Just yesterday, my company got 1,611 failed > ssh logins within an hour. > > Two questions, then -- one specific and one general: > > 1) What do y'all use to block attackers like this? It seems > to me that anyone who tries to login with a nonexistent > login name should be blocked immediately, for at least an > hour. Anyone who tries to login as an account like root, > and fails more than once, should be similarly blocked. I > can imagine encoding certain 'block policies', and > writing something based around hosts.deny that enforces > it. Is there an accepted "best practice" that works like > this? If you handle login attempts to existant or nonexistant accounts differently one could find out what accounts do exist on a machine which might not be what you want. And think of users having a typo in the username... I am currently using a package called "denyhosts" to block IP adresses with too much failed login attempts. IPs are blocked using tcpwrappers (/etc/hosts.deny) cheers -Marc -- +-O . . . o . . . O . . . o . . . O . . . ___ . . . O . . . o .-+ | Ein Service von Links2Linux.de: / o\ RPMs for SuSE | | --> PackMan! <-- naeheres unter | __| and others | | http://packman.links2linux.de/ . . . O \__\ . . . O . . . O . |
Attachment:
signature.asc
Description: Digital signature