From owner-freebsd-questions@FreeBSD.ORG  Fri Oct  8 07:43:15 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5E83816A4CE
	for <freebsd-questions@freebsd.org>;
	Fri,  8 Oct 2004 07:43:15 +0000 (GMT)
Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.206])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1A1C043D55
	for <freebsd-questions@freebsd.org>;
	Fri,  8 Oct 2004 07:43:15 +0000 (GMT)
	(envelope-from bkeating@gmail.com)
Received: by mproxy.gmail.com with SMTP id 75so4129rnl
	for <freebsd-questions@freebsd.org>;
	Fri, 08 Oct 2004 00:43:11 -0700 (PDT)
Received: by 10.38.181.6 with SMTP id d6mr13928rnf;
        Fri, 08 Oct 2004 00:43:11 -0700 (PDT)
Received: by 10.39.1.6 with HTTP; Fri, 8 Oct 2004 00:43:11 -0700 (PDT)
Message-ID: <1d54d54404100800431ac55605@mail.gmail.com>
Date: Fri, 8 Oct 2004 00:43:11 -0700
From: "Benjamin P. Keating" <bkeating@gmail.com>
To: Dennis Koegel <amf@hobbit.neveragain.de>
In-Reply-To: <20041008072454.GB16547@neveragain.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
References: <Pine.NEB.4.60.0410071514530.27025@mx.freeshell.org>
	 <20041008072454.GB16547@neveragain.de>
cc: freebsd-questions@freebsd.org
cc: Luke <luked@pobox.com>
Subject: Re: Protecting SSH from brute force attacks
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: "Benjamin P. Keating" <bkeating@gmail.com>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2004 07:43:15 -0000

# After 10 unauthenticated connections, refuse 30% of the new ones, and
# refuse any more than 60 total.
MaxStartups 10:30:60


>From an old server of mine, looks related to solutions you're seeking
(but I agree with Dennis, deny PasswordAuthentication is strongest.




On Fri, 8 Oct 2004 09:24:54 +0200, Dennis Koegel
<amf@hobbit.neveragain.de> wrote:
> Hi,
> 
> On Thu, Oct 07, 2004 at 03:15:25PM -0700, Luke wrote:
> > There are several script kiddies out there hitting my SSH server every
> > day.  Sometimes they attempt to brute-force their way in trying new
> > logins every second or so for hours at a time.  Given enough time, I fear
> > they will eventually get in.
> 
> Apart from what was already noted here it may be a good idea to not use
> PasswordAuthentication at all, you can disable it in the sshd_config.
> 
> Personally preferred solution would be public key authentication, but
> there are other options as well.
> 
> No passwords used -> no passwords can be brute-forced.
> 
> HTH,
> - D.
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>