securing sshd
Erik Norgaard
norgaard at locolomo.org
Sat Mar 20 18:40:05 UTC 2010
On 20/03/10 18:23, Jamie Griffin wrote:
> The reason I went with that decision is because I only expect to be
> logging in to the server from two locations: at home or from a
> computer at my university
In that case, the best thing you can do is figure out the IP ranges of
either location.
Check your log for your own successful logins to find the source IP,
then look up the range with whois. You can be pretty sure that wherever
you are on campus, the assigned IP will be in that range.
Then just allow access from those ranges and block everything else in
your firewall. Whitelists are far easier to manage than black lists.
Having some daemon running to monitor illicit attempts to login and
block the source is futile. You can be almost certain that you won't see
that IP in your logs again, partly because these attempts may come from
botnets, partly because the source may be assigned IP dynamically.
Btw. I found two articles on securityfocus.com, the first is analysis
using a honeypot, as you see these attacks are pretty lame:
http://www.symantec.com/connect/articles/analyzing-malicious-ssh-login-attempts
Then somebody having to respond, because security was pretty lame:
http://www.symantec.com/connect/articles/responding-brute-force-ssh-attack?ref=rss
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
More information about the freebsd-questions
mailing list