Re: On defense of the sshd crackers

["Douglas A. Tutty" <dtutty@porchlight.ca>]

On Tue, Oct 09, 2007 at 11:32:38AM -0300, Henrique de Moraes Holschuh wrote:
> On Tue, 09 Oct 2007, T o n g wrote:
> > I used to turn on my sshd just in case that I need to ssh back into my
> > box. But recently, I noticed that whenever I turn it on, almost instantly,
> > there will be a cracker attempting cracking into my sshd:
> 
> Drop password logins of any type in ssh completely, use only crypto keys.
> Also, explictly tell sshd the users which should be able to login, it will
> deny all others, no matter what.
> 

I created a group ssh, then add anyone who should be able to use ssh to
the ssh group.  

Note, that even if the user isn't in ssh, sshd still goes through the
motions and asks for a password, it just can not succeed.

I don't figure that there's anything to keep the barbarians from
pounding at the gate.  Given that they use port scanners to check for
open ports, changing the default port propably won't help.  Set up sshd
for the most restrictive policy that will allow you to do what you need.

For example, I don't need the ability to ssh in from the internet, only
from local net boxes.  So I set a listen address so that sshd doesn't
have the public port open at all.

Doug.