Re: shutting out dictionary attacks on ssh passwords

[Scott Solmonson <scosol%scosol.org@localhost>]

As others have stated, simply switching the Listen() port solves 95%
of your problem-

My own personal approach when forced to use popular software without
mods (as OpenSSH often is) is to combine two different software
packages that both perform the same sorts of access-blocking things-
OpenSSH + Daemontools/any-FW-Package/your custom weirdo script
accessing /proc or parsing netstat output etc-
Software exploits are handled at high levels by this approach-
network-level assault isn't helped by that, but that usually means
you've got a dedicated attacker...
The more distant the packages the better, as automated attacks will be
less and less targeted towards them. Assuming you can write principled
code, your own custom checkpoint script backing up a massively-used
commercial package is about as good as it gets...

As an aside- relying upon "random jackoff's" Perl script that performs
some automated port knocking -> FW interaction  or Blacklist addition
etc is just asking for misery/mystery- it's one thing when building
some custom scripting around your stack rom your own mind so you are
absolutely intimate with how everything works; it's another when
you're relying on someone else's hack. This isn't meant to knock any
existing examples, but if you can read their code enough to really
well-verify it for your uses, then you could have just written it
yourself, and then there would no ambiguity in your "Do I really
understand what this thing is doing?" equation.

Think Apollo Mission
Aim Space Shuttle
Achieve Freight Train

Your fail-safe continuance measures are now in line with 5 9's of all
of Humanity- congratulations :)

-SS

-- 
NUNQUAM NON PARATUS

On Mon, Jun 27, 2011 at 6:01 PM, John Nemeth <jnemeth%victoria.tc.ca@localhost> 
wrote:
> On Nov 17,  8:14am, "Erik E. Fair" wrote:
> }
> } For those of us with public IP addresses, what is the most popular
> } and effective way to shut out the various door-knob turners who
> } keep trying account/password combinations again ssh and other such
> } services?
>
>     In my case, move my SSH server to a different port.  I haven't had
> a single dictionary scan since then of which I'm aware.  My current
> logs go back to Nov. 4th, 2009.
>
> }-- End of excerpt from "Erik E. Fair"