Protecting SSH from brute force attacks
Dave McCammon
davemac11 at yahoo.com
Thu Oct 7 19:46:24 PDT 2004
--- Vulpes Velox <v.velox at vvelox.net> wrote:
> On Thu, 7 Oct 2004 15:15:25 -0700 (PDT)
> Luke <luked at pobox.com> wrote:
>
> > There are several script kiddies out there hitting
> my SSH server
> > every day. Sometimes they attempt to brute-force
> their way in
> > trying new logins every second or so for hours at
> a time. Given
> > enough time, I fear they will eventually get in.
> > Is there anything I can do to hinder them?
> >
> > I'd like to ban the IP after 50 failed attempts or
> something. I'd
> > heard that each failed attempt from a source was
> supposed to make
> > the daemon respond slower each time, thus limiting
> the usefulness of
> > brute force attacks, but I'm not seeing that
> behavior.
>
> I forget where in /etc it is, but look into setting
> up something that
> allows a certian number of failed logins before
> locking that IP/term
> out for a few minutes.... and if it is constantly
> from the same place
> look into calling their ISP or the like.
>
> Or in a few cases, like I have done in a few cases,
> and a deny from
> any to any for that chunk of the net...
>
> man login.conf for more info :)
> _______________________________________________
Following the advice from here:
http://isc.sans.org//diary.php?date=2004-09-11.
What I did was to only allow access to one machine
through my firewall for the ssh connections (ipfw
limit). 2 per source address.
And, for that one machine, I changed the sshd port to
a different number.
I was getting the same brute force attacks but they
have dropped to nil since.
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
More information about the freebsd-questions
mailing list