From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GhXGd-00004P-EU for garchives@archives.gentoo.org; Tue, 07 Nov 2006 20:09:55 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kA7K7JBs003034; Tue, 7 Nov 2006 20:07:19 GMT Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [63.240.77.83]) by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id kA7K4vve028159 for ; Tue, 7 Nov 2006 20:04:57 GMT Received: from [161.44.182.222] (dhcp-161-44-182-222.cisco.com[161.44.182.222]) by comcast.net (sccrmhc13) with ESMTP id <2006110720045601300a6pv0e>; Tue, 7 Nov 2006 20:04:56 +0000 Message-ID: <4550E6DE.9070803@comcast.net> Date: Tue, 07 Nov 2006 15:04:46 -0500 From: Brian Davis User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] OpenSSH security References: <4550E4CC.6050400@fire-eyes.org> In-Reply-To: <4550E4CC.6050400@fire-eyes.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 3cbaf995-67a0-402d-9923-7d6985d8c6fd X-Archives-Hash: a1c666ada50e10f82c7c994d66e1e6ef In addition to fail2ban, look at deny2hosts and sshdfilter. fire-eyes wrote: > James Colby wrote: > >> List members - >> >> I am running OpenSSH on my home gentoo server. I was examining the >> log files for OpenSSH and I noticed multiple login attempts from the >> same IP address but with different user names. Is there a simple way >> that I can block an IP address from attempting to log in after >> something like 3 failed login attempts? >> >> My Gentoo box is connected to a linksys router connected to my cable >> modem, the linksys is doing port forwarding to my gentoo box. Also, I >> would like to avoid limiting which IP addresses can log into my SSH >> server >> >> Thanks for any ideas, >> James >> > > > What you're seeing is a common, automated dictionary style attack. There > are several ways to get rid of them. > > The simplest way is to install fail2ban and it will create firewall rules. > > The next less-simple way is to change the port sshd listens on. The > scripts assume the default of 22. > > The best way is to change the port sshd listens on, and also move to key > based authentication, and disable password based authentication. In this > way, even if they got the port, got a real user name, and had the right > password, it would not matter -- They haven't got the key. > -- gentoo-user@gentoo.org mailing list