Blocking a slow-burning SSH bruteforce

David Rawling djr at pdconsec.net
Fri Jan 1 15:20:19 UTC 2010


On 2/01/2010 2:07 AM, J.D. Bronson wrote:
> Few options I can think of in random order...I use #1:
>
> 1. Run SSH on an obscure port. Seriously, thats one of the easiest 
> things to do. Since I have done that, I have had ZERO attempts and it 
> works perfectly as long as users know the odd port. In fact, I dont 
> know anyone in our IT circle of friends that runs SSH on port 22.
>
> 2. Consider controlling/limiting access via 'pf' if your running 'pf'.
>
> Of course with your examples coming from all different IPs, thats not 
> likely gonna help much.
>
> 3. Just ignore it - they aren't getting in...similar to spammers being 
> rejected by RBLs....its traffic, but cant be a whole lot.
>
> 4. Limit login time window too...I run a very narrow window of time to 
> login and a LOW number of attempted logins per session.

Darn.

1 is out because 22 is the one port that most organisations (including 
mine) allow out of their networks for administering routers.

2 is unfortunately not an option (as a consultant I do work from many 
networks)

4 - again I might have to log in any time ...

3 seems the best approach.

Thanks for your thoughts, it's good to get second opinions.

Dave.

-- 
David Rawling
PD Consulting And Security
Mob: +61 412 135 513
Email: djr at pdconsec.net



More information about the freebsd-questions mailing list