Date: Tue, 12 Jan 2010 09:53:57 +0000 From: Anton Shterenlikht <mexas@bristol.ac.uk> To: Erik Norgaard <norgaard@locolomo.org> Cc: Anton Shterenlikht <mexas@bristol.ac.uk>, freebsd-questions@freebsd.org Subject: Re: denying spam hosts ssh access - good idea? Message-ID: <20100112095357.GD61863@mech-cluster241.men.bris.ac.uk> In-Reply-To: <4B4C43EE.6080703@locolomo.org> References: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk> <4B4C43EE.6080703@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 12, 2010 at 10:42:06AM +0100, Erik Norgaard wrote: > Anton Shterenlikht wrote: > > I'm thinking of denying ssh access to host from which > > I get brute force ssh attacks. > > This is a returning topic, search the archives. Anyway, the returning > answer: > > - why not let your firewall do the blocking? If your blocking is IP > based that's the place to block. I'm already under the University firewall. Only port 22 is let through. But even that filles my logs. > - why do you default to allow? How about default block, and then add the > few good networks you know that actually need access? Restricting access > to your own continent is a good start. I made this tool to create lists > of ip ranges for individual countries: > > http://www.locolomo.org/pub/src/toolbox/inet.pl > > if you're in US then it may not work since some US companies have ranges > delegated directly by IANA rather than ARIN, but these are few so it's > easy to add ranges manually, check the list here: > > http://www.iana.net/assignments/ipv4-address-space/ipv4-address-space.xml thanks, will look at this > - why allow password based authentication? disable password based > authentication and rely on keys, then you can ignore all the brute force > attempts. I don't allow password based authentication. > - above not a solution? See if you can tweak the sshd_config: > > MaxAuthTries > MaxStartups > > can slow down brute force attacks preventing it from sucking up resources. also a good idea, will look at this. > Disable root login, restrict login to real users, if you have a group > "users" just restrict to that using AllowGroups. yes, this is in place. > - trying to block individual offending hosts is futile, the attacker > will usually try maybe a 1000 times, but the next one will likely come > from a different address. I guess this answers my question most directly. >From all the replies I got so far I gather that /etc/hosts.allow exists a historical heritage and no real use is made of it nowadays. Although some people appear to like it (e.g. Samuel Martín Moro). many thanks for your help and support. anton -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100112095357.GD61863>