denying spam hosts ssh access - good idea?
norgaard at locolomo.org
Tue Jan 12 09:42:10 UTC 2010
Anton Shterenlikht wrote:
> I'm thinking of denying ssh access to host from which
> I get brute force ssh attacks.
This is a returning topic, search the archives. Anyway, the returning
- why not let your firewall do the blocking? If your blocking is IP
based that's the place to block.
- why do you default to allow? How about default block, and then add the
few good networks you know that actually need access? Restricting access
to your own continent is a good start. I made this tool to create lists
of ip ranges for individual countries:
if you're in US then it may not work since some US companies have ranges
delegated directly by IANA rather than ARIN, but these are few so it's
easy to add ranges manually, check the list here:
- why allow password based authentication? disable password based
authentication and rely on keys, then you can ignore all the brute force
- above not a solution? See if you can tweak the sshd_config:
can slow down brute force attacks preventing it from sucking up resources.
Disable root login, restrict login to real users, if you have a group
"users" just restrict to that using AllowGroups.
- trying to block individual offending hosts is futile, the attacker
will usually try maybe a 1000 times, but the next one will likely come
from a different address.
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
More information about the freebsd-questions