On Monday, 25.04.2005 at 11:04 -0400, Radu Brumariu wrote: > >There are, but it may be simpler to change the port that SSH listens > >on. > > Which method is that ( blocking the offending IP from SSHD's > configuration ) ? Haven't tried it myself, but you can use an intrusion detection application of some kind: perhaps someone else will suggest something specific. Actually, I'm sure this was discussed on here not that long ago: go search the archives! > >The behaviour you're seeing is likely not actually "people", but an > >automated scan of some sort. Changing SSH port is 'really' more > >secure (obscurity and all that), but it's an extra layer and, if > >nothing else, stops your logs getting cluttered with all the failed > >logins ... > > > > If they are doing a portscan on your machine + service fingerprinting, > that doesn't help that much. In my experience of the type of SSH activity you are reporting, the automated tool assumes that SSH will be on port 22. Changing the port just "raises the bar" a little ... of course, a port scan will reveal what's actually there, as you say. > Of course it will hide it for a while, but every time you connect to > the machine you will have to put in the port number...which tends to > be a hassle. That's true: as with all security issues, it's a trade-off :-) Dave. -- Please don't CC me on list messages! ... Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature