[CentOS] Ideas for stopping ssh brute force attacks

Mon Jul 21 22:47:36 UTC 2008
Bill Campbell <centos at celestial.com>

On Tue, Jul 22, 2008, D Steward wrote:
>On Mon, 2008-07-21 at 17:09 -0500, Tim Nelson wrote:
>> When using denyhosts, you'll want to keep your IP's in hosts.allow so even if you're "banned" you can still get access. :-)
>
>Yup.
>Unfortunately, my ISP's plan uses dynamic IPs, so I have to enter
>various subnets to stay safe. :(

If you do not allow password authentication and use good pass
phrases on your identity, the only thing really gained by
restricting on IP ranges is restricting the number of reject
messages in your log files.  The fail2ban program does a nice job
of limiting the number of rejection messages in the logs.

Another possibility is to set up OpenVPN on your system, which
authenticates on ssl certificates and works nicely even from
dynamic IPs behind NAT.  Then you can ssh into the private LAN
behind your firewall via OpenVPN.

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

Foreign aid might be defined as a transfer from poor people in rich
countries to rich people in poor countries -- Douglas Casey