[CentOS] Ideas for stopping ssh brute force attacks

Tue Jul 22 17:07:37 UTC 2008
David Dyer-Bennet <dd-b at dd-b.net>

On Tue, July 22, 2008 11:57, MHR wrote:
> On Tue, Jul 22, 2008 at 8:16 AM, David Dyer-Bennet <dd-b at dd-b.net> wrote:
>>
>> The next step up from that is some form of "port knocking" scheme --
>> where
>> the outsider must first attempt to connect to some particular *other*
>> port
>> to trigger ssh to be ready to listen on the (non-standard) SSH port.
>>
>> On the other hand, why are people so worried about SSH scans?  I'm
>> worried
>> about who actually gets in, not who connects to the port.  Strong
>> password
>> quality enforcement, or maybe requiring public-key authentication, seem
>> like a more useful response.  (I'm seeing a lot of failed ssh connects
>> myself right now.  Another system here has been blocking every /24 we
>> get
>> a failed connect from, with the result that they had to add a special
>> rule
>> to let my home systems log in!  This could easily result in my being
>> unable to get in from arbitrary locations in the field in an emergency,
>> which seems not good.)
>
> You have, perhaps, heard of denial-of-service attacks?

Yes, but if there are *any* ports exposed, seems like those are equally
possible.  For that matter, if my ports were all closed, they could still
be sending enough packets up my link that I was DOSed pretty much into
oblivion.
-- 
David Dyer-Bennet, dd-b at dd-b.net; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info