Re: help? fighting ssh user/password guessing attempts

["Volkmar Seifert" <vs%nifelheim.info@localhost>]

Hello Thomas,


> in my /var/log/authlog I can see many hackers attempting to get access to
> my system by trying arbitrary usernames. First of all I have disabled
> password authentication so valid users can ony login with a key. Still I'd
> like to lock the respective hosts out, from where these attacks originate.

First of all...yes, everyone running an sshd has this problem, and no,
switching to an arbitrary port is no help at all. Obscurity is no
security, it does only delay the inevitable. I've seen such attacks on the
weirdest ports.


> My research has brought up several programs / demons that parse the
> authlog file at certain time intervals and adjust the firewall
> accordingly. Among them are fail2ban, denyhost OSsec, and blockhosts.

The solution I prefer is denyhosts. It does not meddle with any
packetfilter, and it does not wait until you are attacked, to lock out
hosts. It modifies the /etc/hosts.deny file, and it communicates with a
central server, which provides "malevolent host-addresses". The hosts.deny
is updated and maintained by denyhosts in intervals, and this blocks the
attackers quite effectively. One attacked host informs the server of the
IP-Adresses of the attackers and all denyhosts-using machines get them on
their next update, even when they have not yet been attacked themselves.


- Volkmar


Oh and while at it...it's not hackers attacking you. It's scripts, bots,
kiddies and sometimes black-hats. See [1] for more information. (Yes, I
dislike seeing people constantly disgracing that term without really
knowing what they are actually talking about.)

[1] http://www.catb.org/~esr/faqs/hacker-howto.html

-- 
http://blog.nifelheim.info/tech