Re: Blocking SSH attackers

[Tony Godshall <togo@of.net>]

According to Phil Dyer,
> Stephen R Laniel said:
> > As with a lot of other people, I've noticed lots of attacks
> > on SSH recently. Just yesterday, my company got 1,611 failed
> > ssh logins within an hour.
> > 
> > Two questions, then -- one specific and one general:
> > 
> > 1) What do y'all use to block attackers like this? It seems
> >    to me that anyone who tries to login with a nonexistent
> >    login name should be blocked immediately, for at least an
> >    hour. Anyone who tries to login as an account like root,
> >    and fails more than once, should be similarly blocked. I
> >    can imagine encoding certain 'block policies', and
> >    writing something based around hosts.deny that enforces
> >    it. Is there an accepted "best practice" that works like
> >    this?
> 
> I just recently started using iptables to do this. It's worked really
> well for me so far. See the debian-isp archive link below.
> 
> http://lists.debian.org/debian-isp/2005/10/msg00051.html

I don't see any mechanism to limit the number of entries in
your blocked list... this would seem to increase your 
vulnerability to a multi-source DOS attack.