Re: What to do about SSH brute force attempts?
Hi,
* use a Firewall to prevent other IP address to connect to your ssh
service. restrict just to yours (iptables script can be easy to find on
the web)
* use Fail2ban which can ban ssh auth failure and create iptables rules.
(google can help your search about fail2ban)
Third use a non standart ssh port (for example 2222) apt-get install fail2ban
Have a nice day,
Greg
> Hi all,
>
> since two days (approx.) I'm seeing an extremely high number of apparently
> coordinated (well, at least they are trying the same list of usernames)
> brute
> force attempts from IP addresses spread all over the world. I've got
> denyhosts
> and an additional iptables based firewall solution in place to mitigate
> these
> since quite some time already and this seems to do the trick in terms of
> blocking them fairly quickly.
>
> Nevertheless, I'd like to do something about it more proactively, so I
> also
> contact the abuse mailboxes as obtained from whois. From time to time I do
> even
> see responses stating that counter measures have been taken. In the
> current
> case, however, there rather seems to be a need for some more coordinated
> action
> instead of contacting the ISPs for each single IP -- this host might get
> blocked/shut down, but there is little hope of a more thorough
> investigation,
> trying to get closer to the root of these attacks.
>
> Well, probably I'm pretty naive in hoping that one could do anything about
> that
> at all, but maybe some of you are more experienced in security
> issues/dealing
> with CERTs, etc. and have some ideas what could be done.
>
> Further, what do you guys do about such attacks? Just sit back and hope
> they
> don't get hold of any passwords? Any ideas are welcome...
>
> Thanks,
> Michael
>
>
Reply to: