Date: Thu, 7 Oct 2004 19:46:22 -0700 (PDT) From: Dave McCammon <davemac11@yahoo.com> To: LukeD@pobox.com Cc: freebsd-questions@freebsd.org Subject: Re: Protecting SSH from brute force attacks Message-ID: <20041008024622.75972.qmail@web41410.mail.yahoo.com> In-Reply-To: <20041007192349.36120317@vixen42.24-119-122-191.cpe.cableone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Vulpes Velox <v.velox@vvelox.net> wrote: > On Thu, 7 Oct 2004 15:15:25 -0700 (PDT) > Luke <luked@pobox.com> wrote: > > > There are several script kiddies out there hitting > my SSH server > > every day. Sometimes they attempt to brute-force > their way in > > trying new logins every second or so for hours at > a time. Given > > enough time, I fear they will eventually get in. > > Is there anything I can do to hinder them? > > > > I'd like to ban the IP after 50 failed attempts or > something. I'd > > heard that each failed attempt from a source was > supposed to make > > the daemon respond slower each time, thus limiting > the usefulness of > > brute force attacks, but I'm not seeing that > behavior. > > I forget where in /etc it is, but look into setting > up something that > allows a certian number of failed logins before > locking that IP/term > out for a few minutes.... and if it is constantly > from the same place > look into calling their ISP or the like. > > Or in a few cases, like I have done in a few cases, > and a deny from > any to any for that chunk of the net... > > man login.conf for more info :) > _______________________________________________ Following the advice from here: http://isc.sans.org//diary.php?date=2004-09-11. What I did was to only allow access to one machine through my firewall for the ssh connections (ipfw limit). 2 per source address. And, for that one machine, I changed the sshd port to a different number. I was getting the same brute force attacks but they have dropped to nil since. _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041008024622.75972.qmail>