Re: What to do with attackers?

To: Debian User Group <debian-user@lists.debian.org>
Subject: Re: What to do with attackers?
From: James Strandboge <jamie@strandboge.com>
Date: Fri, 04 Nov 2005 09:27:55 -0500
Message-id: <[🔎] 1131114475.9782.15.camel@localhost.localdomain>
In-reply-to: <[🔎] 436B4319.4010805@ares.dyndns.biz>
References: <[🔎] 436B4319.4010805@ares.dyndns.biz>

On Fri, 2005-11-04 at 12:16 +0100, Thomas wrote:
> Hello there,
> 
> recently, i can see ofthen brute force attacks in my ssh logfile.
> A friend of mine, who has the same ISP gets the same bruteforce attacks.
> 
> What would be an adequate reaction to repeated ssh bruteforce attacks?
> 
> Should i contact the owner of the attackers ip address?
> Should i do something else?

Not much you can do about the probes-- they will happen, and blocking
them on a case by case basis is futile.  Some things that will help:

firewall and/or use tcp wrappers (man hosts_access) so only certain
hosts can connect

change the port ssh listens on (yes obfuscation it is not real security,
but these are scripted attacks which don't check other ports-- will
*greatly* reduce the number of attempts-- and you'll know that if you
get a probe on that port, the attacker probably is serious (ie it may
not be a scripted attack, but rather a directed attack))

disable password authentication and use keys exclusively

disable root logins entirely

see 'man sshd_config' for how to do the last three

-- 
James Strandboge
jamie@strandboge.com

Reply to:

References:
- What to do with attackers?
  - From: Thomas <jade@ares.dyndns.biz>

Prev by Date: Re: Examining Swap
Next by Date: Re: What to do with attackers?
Previous by thread: Re: What to do with attackers?
Next by thread: Re: What to do with attackers?
Index(es):
- Date
- Thread