[CentOS] One approach to dealing with SSH brute force attacks.

Wed Jan 30 21:11:34 UTC 2008
Bill Campbell <centos at celestial.com>

On Wed, Jan 30, 2008, Brian Mathis wrote:
...
>
>Log parsing scripts often don't provide the immediacy that rate
>limiting does when under attack.  You'd have to run the script
>constantly parsing logs, since most ssh scans come in bursts.

We use swatch for this and othter interesting events (e.g. NICs
being put in promiscuous mode).  It continually monitors one or
more log files using gnu-tail in a perl script, and can do
various things depending on a configuration file.  It can send
e-mail notifications and/or execute scripts which can do anything
your heart desires.

The fail2ban program has similar capabilities, and can block IP
addresses attempting multiple connections using iptables.
Personally I prefer swatch, but that's largely because I found it
first and understand its configuration.

We generally restrict ssh access to using authorized_keys, and
use tcp_wrappers to further limit access by IP address.

Roaming users can first establish a VPN connection using OpenVPN,
then make any ssh connections vis the private VPN tunnel.

Bill
--
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

Many citizens because of their respect for what only appears to be a law
are cunningly coerced into waiving their rights due to ignorance.
    -- U.S. v. Minker