Re: Blocking SSH attackers
According to Phil Dyer,
> Stephen R Laniel said:
> > As with a lot of other people, I've noticed lots of attacks
> > on SSH recently. Just yesterday, my company got 1,611 failed
> > ssh logins within an hour.
> >
> > Two questions, then -- one specific and one general:
> >
> > 1) What do y'all use to block attackers like this? It seems
> > to me that anyone who tries to login with a nonexistent
> > login name should be blocked immediately, for at least an
> > hour. Anyone who tries to login as an account like root,
> > and fails more than once, should be similarly blocked. I
> > can imagine encoding certain 'block policies', and
> > writing something based around hosts.deny that enforces
> > it. Is there an accepted "best practice" that works like
> > this?
>
> I just recently started using iptables to do this. It's worked really
> well for me so far. See the debian-isp archive link below.
>
> http://lists.debian.org/debian-isp/2005/10/msg00051.html
I don't see any mechanism to limit the number of entries in
your blocked list... this would seem to increase your
vulnerability to a multi-source DOS attack.
Reply to: