[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What to do about SSH brute force attempts?

On Sat, Aug 23, 2008 at 5:00 AM, Victor Ananjevsky <ananasik@gmail.com> wrote:
> В Thu, 21 Aug 2008 16:33:51 +0200
> Michael Tautschnig <mt@debian.org> пишет:
>> Further, what do you guys do about such attacks? Just sit back and
>> hope they don't get hold of any passwords? Any ideas are welcome...
> change port from 22 to 11111 or someone you like

But this could break you in places where SSH acess is allowed but
other ports not like in academia networks.
I have saw some ssh attempts also in other ports instead of 22 trying
to detect exactly this changing of port by the administrator.

I good option for this kind of attack IMHO is using cracklib in the
pam to not allow weak user's password. Also use the same tools from
the attackers against your password hash file in shadow/ldap/etc. If
the tool recovers the password in a short time the same could happen
from the attacker, so you could prevent this by disabling the user
until they change the password for a stronger one.
Schedule this to happen once or twice a month. This will cost you less
time than recovering from a cracked account.

> --
> wbr
> Victor "Ananas" Ananjevsky
> Registered Linus user #202480
> Jabber ID: ananas@jabber.kiev.ua
>           ananas@jabber.lafox.net

Reply to: