[CentOS] Ideas for stopping ssh brute force attacks

Tue Jul 22 15:16:44 UTC 2008
David Dyer-Bennet <dd-b at dd-b.net>

On Tue, July 22, 2008 09:34, Rudi Ahlers wrote:

> By changing the ports on all our servers to a high (above 1024) port, we
> have eliminated SSH scans altogether - been running like that for a few
> years now without any problems.

The next step up from that is some form of "port knocking" scheme -- where
the outsider must first attempt to connect to some particular *other* port
to trigger ssh to be ready to listen on the (non-standard) SSH port.

On the other hand, why are people so worried about SSH scans?  I'm worried
about who actually gets in, not who connects to the port.  Strong password
quality enforcement, or maybe requiring public-key authentication, seem
like a more useful response.  (I'm seeing a lot of failed ssh connects
myself right now.  Another system here has been blocking every /24 we get
a failed connect from, with the result that they had to add a special rule
to let my home systems log in!  This could easily result in my being
unable to get in from arbitrary locations in the field in an emergency,
which seems not good.)
-- 
David Dyer-Bennet, dd-b at dd-b.net; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info