Scott Harney wrote:
pardon my incredibly sloppy english. trying to do too many things at once.
> Some of you running ssh on externally reachable have probably noticed
> numerous attempts in the past few months to log in to various accounts
> via ssh. This is apparently a brute force automated attack trying
> well-known account names, weak passwords, etc. One way to mitigate this
> is to make sure you're using strong passwords and changing them with
> some regularity. But can you be sure all your users are doing the same?
>
> If you can, you probably should limited ssh access to specific hosts,
> but this is often impossible and might not stop determined spoofing
> attacks. If you can, you should probably limit ssh authentication to
> using RSA/DSA keys instead of password-based login. See
> http://marc.theaimsgroup.com/?l=openbsd-misc&m=110367957829708&w=2 for
> info.
>
> You may still want to block attack attempts, though, and convince
> automated attack scripts to stop trying. Some OpenBSD folks posted
> scripts to check /var/log/authlog for attacks and add those IPs to a pf
> firewall filter table dynamically. Not all of my machines with a
> reachable ssh are OpenBSD but they all run tcp wrappers. So I modified
> those same scripts to dynamically add attack source IPs to
> /etc/hosts.deny . You can find more my script at
> http://www.scottharney.com/blog/2005/01/03#ssh_blocker_wrap-sh
>
>
-- Scott Harney <scotth@scottharney.com> "Asking the wrong questions is the leading cause of wrong answers" gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5 ___________________ Nolug mailing list nolug@nolug.orgReceived on 01/03/05
This archive was generated by hypermail 2.2.0 : 12/19/08 EST