On Wed, Apr 26, 2006 at 02:23:30PM -0400, Greg Folkert wrote: > On Wed, 2006-04-26 at 01:58 +0100, Digby Tarvin wrote: > > On Tue, Apr 25, 2006 at 07:23:26PM -0400, Bruce Corbin wrote: > > > Hi All, > [...] > > > Any suggestions? > > > > [...] > > You still stop the black hats from trying to guess passwords > > using your ssh server. > > Yes... yes you will. But what is the fun in making them know that they > can't do interactive logins. Wasting time for them is so fulfilling. I > even get to do it automatically. > > I get e-mails from my machines telling me exactly how many times ID10Ts > are trying. I get a chuckle everyone I get. keeps the day going faster > for me.
Oh, it still goes through the motions - it doesn't tell them that their password is not even being looked at. Your logs will tell you what user name they tried to log in with, and that the login was rejected because password authentication is disabled. I also like to configure my sshd to refuse login attempts to anyone not in a special 'ssh' group, and generally exclude any predicatable user names like root or games from being in that group. A quick check of my system log shows 1514 failed ssh attempts in the last four days. For example, a attempt logged for a connection from South Korea: Apr 22 10:09:27 skaro sshd[8547]: User root not allowed because none of user's g roups are listed in AllowGroups Apr 22 10:09:27 skaro sshd[8547]: Failed password for illegal user root from 58. 120.225.134 port 59938 ssh2 What I really should do is move sshd to a non-standard port, and put a tarpit on the normal port to really inconvenience the bozos trying dictionary attacks.. Regards, DigbyT -- Digby R. S. Tarvin digbyt(at)digbyt.com http://www.digbyt.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
