Re: What to do about SSH brute force attempts?
Michael Tautschnig wrote:
since two days (approx.) I'm seeing an extremely high number of apparently
coordinated (well, at least they are trying the same list of usernames) brute
force attempts from IP addresses spread all over the world. I've got denyhosts
and an additional iptables based firewall solution in place to mitigate these
since quite some time already and this seems to do the trick in terms of
blocking them fairly quickly.
Theres not much you can do.
Obviously you need to be using
SSH Protocol 2,
latest openssh server,
strong passwords for uses.
Look at things like
MaxStartups 5:50:10 and decrease LoginGraceTime.
Personally I think you making a mistake of this statement of "I'm not a
huge fan of security by obscurity", its valid, but its too ignorance and
I changed my ssh to an alternate port and attempts in my logs are none.
Security is about layers and really and making it a little harder for
the guys thats just port scanning for port 22's and launching their attempt.
Hope you dont get hacked, cause I you do, think you will have more
explaining to do and more worry than some brute force attacker.
Anyway best of luck.
P.s. I dont recall you mentioning it, but look in to iptable's -m
recent. Works very well.