[CentOS] Ideas for stopping ssh brute force attacks

Wed Jul 23 18:35:41 UTC 2008
David Dyer-Bennet <dd-b at dd-b.net>

On Wed, July 23, 2008 12:25, Nifty Cluster Mitch wrote:

> I like 'denyhosts' as a tool to limit these attacks, other good solutions
> also exist.  Most distros now have 'denyhosts' as a prebuilt RPM which
> is a plus IMO (+).   As others remarked disable root logins.  Manage the
> 'su, sudo' list with care and populate the illegal user list agressivly
> based on the attack list observed in the logs.    Users with su,  sudo
> privledge should be limited to those that use sshkey login and understand
> what a strong pass word is.

Denyhosts has some interesting intelligence; I'm particularly pleased by
the bit where it notifies me of dodgy logins (success after some
failures).  I also wonder what's being done to limit the denial-of-service
possibilities of the  "synchronization" mode. (*I* have added lines to
/etc/hosts.allow to let key people in via SSH from their home and personal
servers even if those addressed end up in hosts.deny.)

(And there's a denyhost rpm in, hmm, I think 'rf' is the rpmforge
repository for Centos.)

I've been playing for years at a set of services to create firewall
blocking commands based on attacks; delivery of email to spamtrap
addresses, probes to closed ports, failed logins, etc.  Studying the data,
it looks like multiple copies of spam delivered to my host often come from
different IPs, though (makes sense with botnets); that sort of information
has lead me to be less aggressive about getting a system actually running.
 The SSH attacks I've seen currently *do* seem to come in series from the
same IP, so blocking that has at least some benefit (mostly cleaning up my
logs I suspect).

-- 
David Dyer-Bennet, dd-b at dd-b.net; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info