John Stoffel wrote:
Eric> I have an outward facing ssh box at work that is currently being Eric> attacked. somebody's going through a dictionary attack of Eric> usernames; currently he or she is on abl. I can't block the IP Eric> Address because the ip is different with each username. Does Eric> anybody have any good ideas on how to stop this? I'm probably Eric> going to move the ssh port to some random high number to get rid Eric> of this, but I don't know yet if anybody else ssh's in besides Eric> me.
I've been running 'denyhosts' python script on both debian and FreeBSD boxes I own. I don't like moving the SSH port because that's really just security through obscurity.
I'm not looking for extra security, I'm looking for clearing my logs and keeping the script kiddies away. I'm using real security, but it's nice to be able to read through your logs...
And if your users have good passwords, it's unlikely that a dictionary attack is going to work as well.
Turned off password / pam / challengeresponse, just using PKI
denyhosts works well, blocks hosts making multiple attempts, etc. It's hard to block attacks where they do one attempt/per IP, but hopefully it's going to take them long enough to run a useful sweep that the won't get in.
Fail2ban looks to be another good option as well, though I haven't touched it.
John
I also want to look into fail2ban but I haven't had a chance yet. -- Eric Martin Key fingerprint = D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F