Re: Ideas for stopping ssh brute force attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tue, July 22, 2008 11:57, MHR wrote:
> On Tue, Jul 22, 2008 at 8:16 AM, David Dyer-Bennet <dd-b@xxxxxxxx> wrote:
>>
>> The next step up from that is some form of "port knocking" scheme --
>> where
>> the outsider must first attempt to connect to some particular *other*
>> port
>> to trigger ssh to be ready to listen on the (non-standard) SSH port.
>>
>> On the other hand, why are people so worried about SSH scans?  I'm
>> worried
>> about who actually gets in, not who connects to the port.  Strong
>> password
>> quality enforcement, or maybe requiring public-key authentication, seem
>> like a more useful response.  (I'm seeing a lot of failed ssh connects
>> myself right now.  Another system here has been blocking every /24 we
>> get
>> a failed connect from, with the result that they had to add a special
>> rule
>> to let my home systems log in!  This could easily result in my being
>> unable to get in from arbitrary locations in the field in an emergency,
>> which seems not good.)
>
> You have, perhaps, heard of denial-of-service attacks?

Yes, but if there are *any* ports exposed, seems like those are equally
possible.  For that matter, if my ports were all closed, they could still
be sending enough packets up my link that I was DOSed pretty much into
oblivion.
-- 
David Dyer-Bennet, dd-b@xxxxxxxx; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux