Re: Ideas for stopping ssh brute force attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Provided you have ssh set up to ensure that root cannot login directly
and/or keys instead of passwords must be used, you aren't in much danger
of being compromised.

To ensure the logs are mostly kept clean however, you need yet another
solution such as changing the port, port-knocking, or a script such as
fail2ban, denyhosts and blockhosts.

fail2ban is a script which writes blacklisted IPs to iptables then
denies them access to every service including ftp and http, not just
ssh.

Because I don't believe a solution such as fail2ban will scale (it can't
be healthy having tens of thousands of IPs in iptables), I use denyhosts
on my servers and have done so successfully for the past 12 months.
Denyhosts is a script which writes blacklisted IPs to hosts.deny,
preventing them from accessing ssh as well as any other service which
uses tcp wrappers. It has a truly wonderful feature where you can sync
your results with a central server to share IPs for banning. This means
my servers now have about 12000 IPs which are permanently blacklisted.
There are just two disadvantages with denyhosts: with a large number of
entries in hosts.deny, there is a noticeable delay (several seconds in
my case) when logging in with ssh. And you can only deny requests which
use tcp wrappers.

I've never used Blockhosts, but I believe it is similar to fail2ban, in
that it can disallow blacklisted IPs from accessing any service, not
just ssh.

Just one other thing: if you use a script, you need to be careful you
don't accidentally ban your own IP (by entering a wrong password too
many times) when accessing a remote server. :/

Whatever, you decided to use, the more security you have, the more
awkward it will be to access your own server/s.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux