[Gllug] ssh brute force attacks

[Ryan Cartwright]

2008/12/8 Alain Williams <addw at phcomp.co.uk>:
> Distributed ssh brute force attacks are on the rise, according to el reg:
>
>        http://www.theregister.co.uk/2008/12/08/brute_force_ssh_attack/
>
> I use an iptables blocker (max 3 attempts in 3 minutes) that would be defeated by this.
>
> I also restrict *who* can login over ssh.

What do you mean by "who"? Restricting by username or by IP address? I
generally set-up so only particular users can ssh in and if I am
really feeling paranoid I'll drop ssh requests not coming from
particular IPs as well.

I have been known to restrict ssh to a single user that is only there
for ssh in. Then I can su from there once I am in. Again depending
upon my paranoia level, the username for this account is sometimes not
recognisable as a "real" word. So it's more likely to be something
like "agk4t93" than "ryan". Not that a brute force is incapable of of
attempting such combinations of characters but IME they tend to try
those as passwords rather than usernames.

cheers
-- 
Ryan Cartwright
Equitas IT Solutions
http://www.equitasit.co.uk
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug