Re: shutting out dictionary attacks on ssh passwords

To: "Erik E. Fair" <fair%netbsd.org@localhost>
Subject: Re: shutting out dictionary attacks on ssh passwords
From: Hugo Silva <hugo%barafranca.com@localhost>
Date: Tue, 28 Jun 2011 13:02:40 +0100

On 06/27/11 21:38, Erik E. Fair wrote:
> For those of us with public IP addresses, what is the most popular
> and effective way to shut out the various door-knob turners who
> keep trying account/password combinations again ssh and other such
> services?
> 
> I'm tired of spew on the consoles and log entries ... and I'd prefer
> to shut the door-knob turners out than silence the screaming daemons.
> 
>       Erik <fair%netbsd.org@localhost>

I've found that disabling password authentication completely and using a
pf overload rule is the best solution.

Usually I clear the addresses in the overload table once a week.
As someone else mentioned, moving the service to another port mostly
makes it a moot issue. I don't usually do this because people assume
sshd will be listening on port 22. There's a tradeoff; with the pf rule
I find that the logs don't get that much spammed -- the way I have it
configured, usually after 2 attempts that IP is blocked for a week.

If you can't move the port, and disabling password auths is an option,
the pf overload rule does a good job. Lower MaxAuthTries @ sshd_config too.

However, if disabling passwords isn't a possibility, I guess another
solution would be enforcing strong passwords on NetBSD.

Regards,

Hugo

References:
- shutting out dictionary attacks on ssh passwords
  - From: Erik E. Fair

Prev by Date: Re: shutting out dictionary attacks on ssh passwords
Next by Date: Re: nfs server lockup (again)
Previous by Thread: Re: shutting out dictionary attacks on ssh passwords
Next by Thread: Re: shutting out dictionary attacks on ssh passwords
Indexes:

Home | Main Index | Thread Index | Old Index