denying spam hosts ssh access - good idea?
Anton Shterenlikht
mexas at bristol.ac.uk
Tue Jan 12 09:54:05 UTC 2010
On Tue, Jan 12, 2010 at 10:42:06AM +0100, Erik Norgaard wrote:
> Anton Shterenlikht wrote:
> > I'm thinking of denying ssh access to host from which
> > I get brute force ssh attacks.
>
> This is a returning topic, search the archives. Anyway, the returning
> answer:
>
> - why not let your firewall do the blocking? If your blocking is IP
> based that's the place to block.
I'm already under the University firewall. Only port 22 is let through.
But even that filles my logs.
> - why do you default to allow? How about default block, and then add the
> few good networks you know that actually need access? Restricting access
> to your own continent is a good start. I made this tool to create lists
> of ip ranges for individual countries:
>
> http://www.locolomo.org/pub/src/toolbox/inet.pl
>
> if you're in US then it may not work since some US companies have ranges
> delegated directly by IANA rather than ARIN, but these are few so it's
> easy to add ranges manually, check the list here:
>
> http://www.iana.net/assignments/ipv4-address-space/ipv4-address-space.xml
thanks, will look at this
> - why allow password based authentication? disable password based
> authentication and rely on keys, then you can ignore all the brute force
> attempts.
I don't allow password based authentication.
> - above not a solution? See if you can tweak the sshd_config:
>
> MaxAuthTries
> MaxStartups
>
> can slow down brute force attacks preventing it from sucking up resources.
also a good idea, will look at this.
> Disable root login, restrict login to real users, if you have a group
> "users" just restrict to that using AllowGroups.
yes, this is in place.
> - trying to block individual offending hosts is futile, the attacker
> will usually try maybe a 1000 times, but the next one will likely come
> from a different address.
I guess this answers my question most directly.
>From all the replies I got so far I gather that /etc/hosts.allow
exists a historical heritage and no real use is made of it
nowadays. Although some people appear to like it (e.g. Samuel Martín Moro).
many thanks for your help and support.
anton
--
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 331 5944
Fax: +44 (0)117 929 4423
More information about the freebsd-questions
mailing list