Re: SSH Blocking
On Mon, Apr 25, 2005 at 10:03:29AM -0700, Alvin Oga wrote:
On Mon, 25 Apr 2005, Nick Miller wrote:
I maintain a couple of exim mail servers on the Internet and I have
noticed that a lot of people will try to gain access to these machines
by trying multiple SSH logins with all sorts of names. I am wondering if
there is an option in SSHD to block an IP after a certain amount of
failed login attempts as any user?
- you should be disallowing ALL ssh connections to begin with
and disallow remote ssh loing as root
- you should only allow ssh login from ip# that you know about
I believe this is a case where practicality trumps security. Most people
I know, including myself, use SSH as the only available administration
method for a remote server and need access to said server whether it is
from home, the local coffee shop, or an airport lobby, and who do not
always have a VPN available.
Additionally there are often end users who need remote access for
various computing tasks who also have similar problems.
A better solution is to probably have (and enforce) a good password policy,
and if the remote login attempts are really that troublesome, look into
some of the various firewall based solutions. A recent thread in DU went
over a few methods of temporarily or permanent dropping connections from
IP addresses that resulted in a large number of failed ssh attempts. I
suggest searching the archives.
--
Steve Block
http://ev-15.com/
http://www.steveblock.com/
scblock@ev-15.com
Reply to: