Re: Reporting brute force ssh login attempts
On Wed, Nov 15, 2006 at 06:51:02PM +0000, Shri Shrikumar wrote:
> Hi All,
>
> I have a few servers on which there is a regular penetration attempts
> using brute force password guessing bots.
>
> There is little risk to the server but am getting more and more annoyed
> by this and as far as I can see am left with two options.
>
> 1. Report each ip address that does this. However, a lot of them seems
> to be from asia with no proper abuse@ address to contact. Additionally,
> this can be very time consuming.
>
> 2. Change the port number that ssh uses to something else. This has the
> annoyance that I need to pass the new port number in each time I want to
> log-in.
>
> 3. Ignore the issue. Very annoying since logwatch and logcheck
> constantly complain about it. However, I can add filters so it annoys me
> less.
>
> Is there a another option? Alternatively, is there a way of
> automatically reporting offending ip's?
>
Is there a way to set ssh/pam so that it doesn't even prompt for a
password if privatekey fails? It has always seemed silly to me that if
you have disabled password login to then have ssh prompt for a password.
If there was no password prompt then perhaps the systems would be unable
to even attempt a brute force attack.
Is there a way to configure the firewall to only allow or deny connection
attempts from certain ip addresses?
Can your own ISP offer any sort of filtering?
If it doesn't affect security, I would just filter out the log noise but
I would make absolutly sure that it doesn't affect security.
It still annoying. Its like having some rattle your front door when its
locked. Remember the movie "Home Alone"? Is there an internet/ssh
version of the electric_barbecue_starter_on_the_door-knob trick?
Doug.
Reply to: