On Tue, Apr 5, 2011 at 5:51 PM, rrichard@blythe.org wrote:
Introducing a Hawk helped us a lot. Tools like Hawk and
fail2ban are quite
useful, actually only thinks like that have
good impact on the bruteforce
attempts.
Indeed! I run Fail2Ban not only against SSH, but against SMTP/AUTH and IMAPS/POP3S (the only client mail protocols we support). It's amazing how many dictionary attacks take place against SMTP by persistent spamers! Besides the effect against dictionary attacks, it makes the morning reading of the secure log a pleasant experience. :-)
However, moving to a non-standard SSH port has had a profound effect on the attempts. It's a triple whammy for the script kiddies. Find the port if you can, then you get 5 tries at a non-existent username/password before your packets get dropped on the floor, and you are totally blocked from the entire system for an hour.
Bob
fail2ban work very well against SSH, SMTP, POP3, FTP, etc, etc.
Another useful tool is Config Server Firewall, which offers DDOS protection, and can be configured to email you when someone was blocked for bruteforce attempts.
OR, you can use Port Knocking - which is a iptables script which monitors 2 or 3 ports, when telnetted to in a pre-configured sequence will open the SSH port in the firewall. This also works very well