denying spam hosts ssh access - good idea?
Erik Norgaard
norgaard at locolomo.org
Tue Jan 12 09:42:10 UTC 2010
Anton Shterenlikht wrote:
> I'm thinking of denying ssh access to host from which
> I get brute force ssh attacks.
This is a returning topic, search the archives. Anyway, the returning
answer:
- why not let your firewall do the blocking? If your blocking is IP
based that's the place to block.
- why do you default to allow? How about default block, and then add the
few good networks you know that actually need access? Restricting access
to your own continent is a good start. I made this tool to create lists
of ip ranges for individual countries:
http://www.locolomo.org/pub/src/toolbox/inet.pl
if you're in US then it may not work since some US companies have ranges
delegated directly by IANA rather than ARIN, but these are few so it's
easy to add ranges manually, check the list here:
http://www.iana.net/assignments/ipv4-address-space/ipv4-address-space.xml
- why allow password based authentication? disable password based
authentication and rely on keys, then you can ignore all the brute force
attempts.
- above not a solution? See if you can tweak the sshd_config:
MaxAuthTries
MaxStartups
can slow down brute force attacks preventing it from sucking up resources.
Disable root login, restrict login to real users, if you have a group
"users" just restrict to that using AllowGroups.
- trying to block individual offending hosts is futile, the attacker
will usually try maybe a 1000 times, but the next one will likely come
from a different address.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
More information about the freebsd-questions
mailing list