Date: Tue, 12 Jan 2010 10:42:06 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: Anton Shterenlikht <mexas@bristol.ac.uk> Cc: freebsd-questions@freebsd.org Subject: Re: denying spam hosts ssh access - good idea? Message-ID: <4B4C43EE.6080703@locolomo.org> In-Reply-To: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk> References: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Anton Shterenlikht wrote: > I'm thinking of denying ssh access to host from which > I get brute force ssh attacks. This is a returning topic, search the archives. Anyway, the returning answer: - why not let your firewall do the blocking? If your blocking is IP based that's the place to block. - why do you default to allow? How about default block, and then add the few good networks you know that actually need access? Restricting access to your own continent is a good start. I made this tool to create lists of ip ranges for individual countries: http://www.locolomo.org/pub/src/toolbox/inet.pl if you're in US then it may not work since some US companies have ranges delegated directly by IANA rather than ARIN, but these are few so it's easy to add ranges manually, check the list here: http://www.iana.net/assignments/ipv4-address-space/ipv4-address-space.xml - why allow password based authentication? disable password based authentication and rely on keys, then you can ignore all the brute force attempts. - above not a solution? See if you can tweak the sshd_config: MaxAuthTries MaxStartups can slow down brute force attacks preventing it from sucking up resources. Disable root login, restrict login to real users, if you have a group "users" just restrict to that using AllowGroups. - trying to block individual offending hosts is futile, the attacker will usually try maybe a 1000 times, but the next one will likely come from a different address. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B4C43EE.6080703>