Date: Tue, 19 Sep 2006 14:22:41 -0700 (PDT) From: backyard <backyard1454-bsd@yahoo.com> To: "Dan Mahoney, System Admin" <danm@prime.gushi.org>, questions@freebsd.org Subject: Re: sshd brute force attempts? Message-ID: <20060919212242.97964.qmail@web83102.mail.mud.yahoo.com> In-Reply-To: <20060919165400.A4380@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--- "Dan Mahoney, System Admin" <danm@prime.gushi.org> wrote: > Hey all, > > I've looked around and found several linux-centric > things designed to > block brute-force SSH attempts. Anyone out there > know of something a bit > more BSD savvy? > > My best attempt will be to get this: > > http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html > > running and adapt it. > > I've found a few things based on openBSD's pf, but > that doesn't seem to be > the default in BSD either. > > Any response appreciated. > > -Dan > > -- > > "Is Gushi a person or an entity?" > "Yes" > > -Bad Karma, August 25th 2001, Ezzi Computers, > Quoting himself earler, referring to Gushi > > --------Dan Mahoney-------- > Techie, Sysadmin, WebGeek > Gushi on efnet/undernet IRC > ICQ: 13735144 AIM: LarpGM > Site: http://www.gushi.org > --------------------------- > well you could pretty much eliminate the problem by disabling password logins to sshd and only accepting keyed logins. Then only a key will work. Frequently changing the keys would ensure hackers would have to want to get in REALLY bad in order to gain unauthorized access by a brute force attempt. Depending on how hosts login and their systems, you could perhaps run a login script that regenerates keys automatically and distributes them to the user every so many days or whatever so the system appears passwordless to them, and secure to the outside. This may be more trouble then you are looking for though. In reality using passwords with SSH kinda defeats the purpose of SSH. -brian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060919212242.97964.qmail>