Re: What to do about SSH brute force attempts?
On Thu, 21 Aug 2008, Michael Tautschnig wrote:
> > * use a Firewall to prevent other IP address to connect to your ssh
> > service. restrict just to yours (iptables script can be easy to find on
> > the web)
> Well, I should have added that my hosts must be world-wide accessible using
> password-based authentication, so this is no option.
In the long term, switch to key-based auth.
> I'm not a huge fan of security by obscurity, so I'd rather stick with 22 for
Switch to key-based auth. Brute-forcing the keys is much harder.
Meanwhile, you really should do something to reduce your attack surface, so
fail2ban and the like, plus non-standard ports are a damn good idea while
you implement the proper "fix" (drop passwords).
> What remains open is what could one do proactively? I don't really feel like
> striking back, but getting rid of the attackers would be kind of nice...
Strike against a botnet? That's a waste of effort, really, with very few
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot