denying spam hosts ssh access - good idea?

Anton Shterenlikht mexas at bristol.ac.uk
Tue Jan 12 09:54:05 UTC 2010


On Tue, Jan 12, 2010 at 10:42:06AM +0100, Erik Norgaard wrote:
> Anton Shterenlikht wrote:
> > I'm thinking of denying ssh access to host from which
> > I get brute force ssh attacks.
> 
> This is a returning topic, search the archives. Anyway, the returning 
> answer:
> 
> - why not let your firewall do the blocking? If your blocking is IP 
> based that's the place to block.

I'm already under the University firewall. Only port 22 is let through.
But even that filles my logs.

> - why do you default to allow? How about default block, and then add the 
> few good networks you know that actually need access? Restricting access 
> to your own continent is a good start. I made this tool to create lists 
> of ip ranges for individual countries:
> 
>    http://www.locolomo.org/pub/src/toolbox/inet.pl
> 
> if you're in US then it may not work since some US companies have ranges 
> delegated directly by IANA rather than ARIN, but these are few so it's 
> easy to add ranges manually, check the list here:
> 
> http://www.iana.net/assignments/ipv4-address-space/ipv4-address-space.xml

thanks, will look at this

> - why allow password based authentication? disable password based 
> authentication and rely on keys, then you can ignore all the brute force 
> attempts.

I don't allow password based authentication.

> - above not a solution? See if you can tweak the sshd_config:
> 
>      MaxAuthTries
>      MaxStartups
> 
> can slow down brute force attacks preventing it from sucking up resources.

also a good idea, will look at this.

> Disable root login, restrict login to real users, if you have a group 
> "users" just restrict to that using AllowGroups.

yes, this is in place.

> - trying to block individual offending hosts is futile, the attacker 
> will usually try maybe a 1000 times, but the next one will likely come 
> from a different address.

I guess this answers my question most directly.

>From all the replies I got so far I gather that /etc/hosts.allow
exists a historical heritage and no real use is made of it
nowadays. Although some people appear to like it (e.g. Samuel Martín Moro).

many thanks for your help and support.
anton


-- 
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 331 5944
Fax: +44 (0)117 929 4423


More information about the freebsd-questions mailing list