Re: help? fighting ssh user/password guessing attempts

["Andy Ruhl" <acruhl%gmail.com@localhost>]

On Wed, Oct 15, 2008 at 11:42 AM, Thomas Feddersen
<thomas.feddersen%t-online.de@localhost> wrote:
> Dear Group,
>
> in my /var/log/authlog I can see many hackers attempting to get access to my
> system by trying arbitrary usernames. First of all I have disabled password
> authentication so valid users can ony login with a key. Still I'd like to
> lock the respective hosts out, from where these attacks originate.
>
> My research has brought up several programs / demons that parse the authlog
> file at certain time intervals and adjust the firewall accordingly. Among
> them are fail2ban, denyhost OSsec, and blockhosts.
>
> I've also found PAM-af, which is available through pkgsrc
> http://www.netbsd.org/packages/security/pam-af. If I understand correctly,
> this hooks immediately into the authentication framework and can repel
> attacks at the place where they get detected first. Although I have read
> Chapter 17 of the NetBSD Guide
> http://www.netbsd.org/docs/guide/en/chap-pam.html I don't really understand
> it. What config files do I have to modify how? Is PAM and / or a firewall
> (which? - PF, IPFilter, iptables) enabled by default?
>
> I still need more assistance in setting PAM-af up. Can somebody please help
> me or point out a howto? Does anybody have experience with PAM-af?

I think everyone has this problem. I was worried about it for a short
time, but then I changed the port sshd listens on and it basically
just doesn't happen anymore.

Seems easier than trying to make a block list, that's kind of like
peeing on a forest fire. It's never going to stop.

Andy