Re: What to do with attackers?
On Fri, 2005-11-04 at 12:16 +0100, Thomas wrote:
> Hello there,
>
> recently, i can see ofthen brute force attacks in my ssh logfile.
> A friend of mine, who has the same ISP gets the same bruteforce attacks.
>
> What would be an adequate reaction to repeated ssh bruteforce attacks?
>
> Should i contact the owner of the attackers ip address?
> Should i do something else?
Not much you can do about the probes-- they will happen, and blocking
them on a case by case basis is futile. Some things that will help:
firewall and/or use tcp wrappers (man hosts_access) so only certain
hosts can connect
change the port ssh listens on (yes obfuscation it is not real security,
but these are scripted attacks which don't check other ports-- will
*greatly* reduce the number of attempts-- and you'll know that if you
get a probe on that port, the attacker probably is serious (ie it may
not be a scripted attack, but rather a directed attack))
disable password authentication and use keys exclusively
disable root logins entirely
see 'man sshd_config' for how to do the last three
--
James Strandboge
jamie@strandboge.com
Reply to: