Re: What to do about SSH brute force attempts?

[Brent Clark <bclark@eccotours.biz>]

Michael Tautschnig wrote:
> Hi all,
>
> since two days (approx.) I'm seeing an extremely high number of apparently
> coordinated (well, at least they are trying the same list of usernames) brute
> force attempts from IP addresses spread all over the world. I've got denyhosts
> and an additional iptables based firewall solution in place to mitigate these
> since quite some time already and this seems to do the trick in terms of
> blocking them fairly quickly.
>
>   
Hi

Theres not much you can do.

Obviously you need to be using
SSH Protocol 2,
latest openssh server,
strong passwords for uses.

Look at things like
MaxStartups 5:50:10 and decrease LoginGraceTime.

Personally I think you making a mistake of this statement of "I'm not a 
huge fan of security by obscurity", its valid, but its too ignorance and 
naivety.
I changed my ssh to an alternate port and attempts in my logs are none.

Security is about layers and really and making it a little harder for 
the guys thats just port scanning for port 22's and launching their attempt.
Hope you dont get hacked, cause I you do, think you will  have more 
explaining to do and more worry than some brute force attacker.

Anyway best of luck.

Kind Regards
Brent Clark.

P.s. I dont recall you mentioning it, but look in to iptable's -m 
recent. Works very well.