Stephen R Laniel said: > As with a lot of other people, I've noticed lots of attacks > on SSH recently. Just yesterday, my company got 1,611 failed > ssh logins within an hour. > > Two questions, then -- one specific and one general: > > 1) What do y'all use to block attackers like this? It seems > to me that anyone who tries to login with a nonexistent > login name should be blocked immediately, for at least an > hour. Anyone who tries to login as an account like root, > and fails more than once, should be similarly blocked. I > can imagine encoding certain 'block policies', and > writing something based around hosts.deny that enforces > it. Is there an accepted "best practice" that works like > this? I just recently started using iptables to do this. It's worked really well for me so far. See the debian-isp archive link below. http://lists.debian.org/debian-isp/2005/10/msg00051.html -- phil
Attachment:
signature.asc
Description: OpenPGP digital signature