[CentOS] Ideas for stopping ssh brute force attacks
Nifty Cluster Mitch
niftycluster at niftyegg.com
Wed Jul 23 17:25:23 UTC 2008
On Tue, Jul 22, 2008 at 10:16:44AM -0500, David Dyer-Bennet wrote:
> On Tue, July 22, 2008 09:34, Rudi Ahlers wrote:
> > By changing the ports on all our servers to a high (above 1024) port, we
> > have eliminated SSH scans altogether - been running like that for a few
> > years now without any problems.
> On the other hand, why are people so worried about SSH scans? I'm worried
> about who actually gets in, not who connects to the port. Strong password
> quality enforcement, or maybe requiring public-key authentication, seem
> like a more useful response.
For me it is signal to noise ratio. The longer the password file (valid
users) the longer the list of connections and corresponding events (good
and bad) that needs to be watched. Switching to another port with a
large user community requires that the entire community be informed,
configured and supported.
I like 'denyhosts' as a tool to limit these attacks, other good solutions
also exist. Most distros now have 'denyhosts' as a prebuilt RPM which
is a plus IMO (+). As others remarked disable root logins. Manage the
'su, sudo' list with care and populate the illegal user list agressivly
based on the attack list observed in the logs. Users with su, sudo
privledge should be limited to those that use sshkey login and understand
what a strong pass word is.
(+) a prebuilt RPM does present the issue that any flaw in
the prebuilt can be widely exploited. As such updates should
be watched for, tested and deployed promptly.
T o m M i t c h e l l
Looking for a place to hang my hat :-(
More information about the CentOS