Here's what I do: 1) Add a group on your system that all shell users are a part of. For me, this group was called 'shellaccess' and root was _not_ in the group. 2) Create an public/private key pair for root. (man ssh-keygen, I recommend -t rsa -b 2048) 3) Install the public key in ~root/.ssh/authorized_keys 4) Add these lines to your sshd_config: # Root can only authenticate with keys PermitRootLogin without-password AllowGroup shellaccess 5) create a table that all traffic passes through, I use SSHD iptables -N SSHD iptables -I INPUT -j SSHD 6) download and install sec.pl (search google) 7) configure sec.pl to automatically block ip addresses after 5 unsuccessful login attempts by using a badhost script, here's mine: #!/bin/bash # # Block a Host IPTABLES=/usr/local/sbin/iptables CHAIN=SSHD INTOCHAIN="INPUT" LINE=`${IPTABLES} -nL|grep Chain |grep $CHAIN |wc -l` HOST=$1 # # Add the Rule if [ $LINE == 0 ]; then $IPTABLES -N $CHAIN fi; # # Add to the main chain LINE=`${IPTABLES} -nL ${INTOCHAIN}|grep $CHAIN|wc -l` if [ $LINE == 0 ]; then $IPTABLES -I $INTOCHAIN -j $CHAIN fi; # # Check for the IP in the rule: LINE=`${IPTABLES} -nL ${CHAIN}|grep $HOST|wc -l` if [ $LINE == 0 ]; then $IPTABLES -I $CHAIN -s $HOST -j DROP fi; If you want to get more creative, fine. This setup has worked for me by limiting the accounts that can be accessed over ssh, eliminating the root password compromise, and actively blocking all machines that will not quit. I've looked into tarpitting and expiring those rules in my SSHD table, but it's never really caused a problem. There's multiple places I can connect to my server from, so if I do accidentally block myself, I can undo it fairly easily. I'd also recommend that you make sure you have: Protocol 2 in your sshd_config. fender wrote: > On 1/31/07, Dominic Caputo <jec6jec6@xxxxxxxxx> wrote: > > > About the problem with ssh brute force attacks, you can use portknocking > [1]. There are several portknocking projects, but you can use > portknocko project [2]. This is a netfilter module that implements > portknocking in an easy way. This module works in kernel 2.6.15, for > now. It will work in newer versions soon. We need more feedback about > this project. > > We will be thankful for your comments. > > > [1] http://www.portknocking.org > [2] http://portknocko.berlios.de > > -- > Federico -- Brad Lhotsky <lhotskyb@xxxxxxxxxxxxxxx> NCTS Computer Specialist Phone: 410.558.8006 "Freedom, Privacy, Security. Choose Two."