From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-76175-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1JUfIz-0001QW-FL
	for garchives@archives.gentoo.org; Thu, 28 Feb 2008 09:43:57 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 8B254E0576;
	Thu, 28 Feb 2008 09:43:55 +0000 (UTC)
Received: from dcnode-02.unlimitedmail.net (unknown [212.85.44.112])
	by pigeon.gentoo.org (Postfix) with ESMTP id 307CEE0576
	for <gentoo-user@lists.gentoo.org>; Thu, 28 Feb 2008 09:43:55 +0000 (UTC)
Received: from ppp.zz ([137.204.208.98])
	(authenticated bits=0)
	by dcnode-02.unlimitedmail.net (8.14.2/8.14.0) with ESMTP id m1S9hb6q029682
	for <gentoo-user@lists.gentoo.org>; Thu, 28 Feb 2008 10:43:47 +0100
From: Etaoin Shrdlu <shrdlu@unlimitedmail.org>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user]  Re: SSH brute force attacks and blacklist.py
Date: Thu, 28 Feb 2008 10:55:23 +0100
User-Agent: KMail/1.9.7
References: <47C5A316.8010303@shic.co.uk> <fq4gut$3ls$1@ger.gmane.org>
In-Reply-To: <fq4gut$3ls$1@ger.gmane.org>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200802281055.23451.shrdlu@unlimitedmail.org>
X-UnlimitedMail-MailScanner-From: shrdlu@unlimitedmail.org
X-Spam-Status: No
X-Archives-Salt: d1bf1062-c441-4c6e-b5c7-578bf9970411
X-Archives-Hash: 69219652048dc33afb51798b068f34a2

On Wednesday 27 February 2008, Remy Blank wrote:

> Steve wrote:
> > I'm one of the (many) people who has opportunists trying usernames
> > and passwords against SSH... while every effort has been made to
> > secure this service by configuration; strong passwords; no root
> > login remotely etc. I would still prefer to block sites using
> > obvious dictionary attacks against me.
>
> The best advice I can give is to use public key authentication only.
> This will defend against all dictionary-based attacks, which is what
> you describe.
>
> The only remaining "problem" is that your log files will be filled
> with unsuccessful login attempts. A simple solution is to run sshd on
> a non-standard, high-numbered port, e.g. in the 30'000. Bots only ever
> try to connect on port 22. This will *not* improve the protection of
> your server, but it will avoid having your logs spammed.

Agreed. For me, changing the port SSH listens on alone eliminated 99% of 
brute force attempts.

I also agree on public key authentication. Depending on the OP's needs 
and context), he might also be interested in portknocking (no flames 
please :-)).
-- 
gentoo-user@lists.gentoo.org mailing list