[PLUG] Denyhosts, Cracking Attempts, and Intensity
MJang
mike at mommabears.com
Fri Jun 5 16:16:14 UTC 2009
On Fri, 2009-06-05 at 08:31 -0700, Quentin Hartman wrote:
> Just wanted to comment that the super-wimple way to avoid all this headache
> is to run SSHD on a non-standard port. I never get scans like that on my
> boxes which are on weird ports. To make connecting to the machines easy (and
> to keep things like rsync and scp happy) and not have to remember a bunch of
> command line switches, I put my "weird" port in my user's .ssh/config file
> like this:
>
> host *
> Port 12345
>
> And then if there are machines I connect to regularly that need different
> settings I add entries like:
>
> host someserver
> User thatguy
> Port 22
>
> You can even setup automatic proxying (with netcat) and stuff:
>
> host server_needs_a_proxy.domain.com
> ProxyCommand ssh server_I_bounce_through.domain.com nc -w 1 %h 22
FWIW, I disable root logins for SSH on my /etc/ssh/sshd_config with
PermitRootLogin no
and limit ssh attempts in the firewall with the following rules
tcp -- anywhere anywhere tcp dpt:ssh
state NEW recent: SET name: SSH side: source
DROP tcp -- anywhere anywhere tcp dpt:ssh
state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: SSH
side: source
Limiting logon attempts to 3 every 60 seconds discourages most crackers.
If you use a different SSH port, the firewall rules would have to be
changed accordingly.
Thanks,
Mike
More information about the PLUG
mailing list