Re: ssh scans

[Philip <subs%christiantena.net@localhost>]

I don't accept passwords at all, only public/private key authentication.
Just make sure that you have a /home/user/.ssh/authorized_keys2 file and
put this in /etc/ssh/sshd_config

Protocol 2
LoginGraceTime 600
PermitRootLogin no
StrictModes yes
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys2
RhostsRSAAuthentication no
HostbasedAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePam no
UseDNS no
Subsystem       sftp    /usr/libexec/sftp-server

and restart ssh of course.

the attacker will probably not even be able to negotiate an
authentication method and I don't think that gets logged.

The downside is that you can't log in without a key file but I just keep
a copy on the memory of my mobile phone which I can easily transfer to a
client PC if I need to use someone elses computer to log in.

regards, Philip


Rhialto wrote:
> On Mon 26 Oct 2009 at 12:42:57 -0700, David Wetzel wrote:
>> Hi,
>>
>> I am seeing a lot of ssh scans and I am wondering if somebody has a  
>> solution like adding the bad hosts temporary to pf.conf or so?
> 
> I use pam_af, which hooks into PAM. It is in pkgsrc: security/pam-af.
> It blocks IP addresses that try (and fail) more than N logins in M
> seconds for O time.
> 
> The bad guys try to get around this, however. I have seen login attempts
> with fairly consistent interval from all kinds of different sources.
> That clearly was coordinated, since the interval alwas was between 1 and
> 3 minutes.
> 
> I wish sshd would log passwords in these cases. I'm quite interested in
> knowing which passwords they try.
> 
> -Olaf.