Re: Blocking SSH attackers
On Tue, Nov 01, 2005 at 01:28:57AM +0800, Shane Chrisp wrote:
> On Mon, 2005-10-31 at 12:08 -0500, Stephen R Laniel wrote:
> > As with a lot of other people, I've noticed lots of attacks
> > on SSH recently. Just yesterday, my company got 1,611 failed
> > ssh logins within an hour.
>
> How about just using tcpwrappers and allowing only the blocks you know
> need access. Even restricting to a few /16's will almost stop the bulk
> of the attempts.
>
Agreed. Swtiching from a 'deny some' to a 'deny all, allow some' mindset
is oft difficult as well as actually getting used to it. Users will
balk. You _will_ experience inconvenience. Proper planning will help
alleviate that.
If you travel frequently, it'll be more annoying and require some more
forethought.
Having been through this change myself, I can tell you how badly it
sucks and how much bitching you'll get from your users. It also
increases maintenance needs for making sure your users update their host
lists.
In the long run, I recommend it if you can do it. The security is worth
the pain.
j
--
==================================================
+ It's simply not | John Keimel +
+ RFC1149 compliant! | john@keimel.com +
+ | http://www.keimel.com +
==================================================
Reply to: