New to the list, so please forgive unintentional netiquette transgressions...
On Mon, 12 Jan 2009 14:24:54 -0600 "James B. Byrne" byrnejb@harte-lyne.ca wrote:
Thanks for the help. I completely missed that error.
<snip>
throttle threshold of 15 seconds. I am still concerned about any brute force attempt to discover the root password but, given no more than four connections per minute is possible, just how concerned should I be?
<snip> completely defeat the current throttle rules. Should I also throttle the total number of new connections from all IPs?
James,
Throttling all connection attempts to SSH is probably a good idea.
Discounting DoS or DDoS attacks, my solution to nefarious SSH attempts is threefold: 1) run sshd on a port other than 22 (I know, obscurity is not security...), 2) disable the root account (e.g., set the root password to '*' in /etc/shadow), and allow only sudo(1) access to privileged commands (this is the default on Ubuntu systems), and 3) disable password authentication in sshd_config and require all ssh users to log in using public key authentication.
Probably other things one can do, but I think this is a good first step.
Best,
-David Klann