Re: What to do about SSH brute force attempts?

[Henrique de Moraes Holschuh <hmh@debian.org>]

On Thu, 21 Aug 2008, Michael Tautschnig wrote:
> > * use a Firewall to prevent other IP address to connect to your ssh
> > service. restrict just to yours (iptables script can be easy to find on
> > the web)
> Well, I should have added that my hosts must be world-wide accessible using
> password-based authentication, so this is no option.

In the long term, switch to key-based auth.

> I'm not a huge fan of security by obscurity, so I'd rather stick with 22 for
> now.

Switch to key-based auth.  Brute-forcing the keys is much harder.

Meanwhile, you really should do something to reduce your attack surface, so
fail2ban and the like, plus non-standard ports are a damn good idea while
you implement the proper "fix" (drop passwords).

> What remains open is what could one do proactively? I don't really feel like
> striking back, but getting rid of the attackers would be kind of nice...

Strike against a botnet?  That's a waste of effort, really, with very few
exceptions.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh