On Tue, Jan 12, 2010 at 10:42:06AM +0100, Erik Norgaard wrote: > Anton Shterenlikht wrote: > > I'm thinking of denying ssh access to host from which > > I get brute force ssh attacks. > > This is a returning topic, search the archives. Anyway, the returning > answer: > > - why not let your firewall do the blocking? If your blocking is IP > based that's the place to block.
I'm already under the University firewall. Only port 22 is let through. But even that filles my logs. > - why do you default to allow? How about default block, and then add the > few good networks you know that actually need access? Restricting access > to your own continent is a good start. I made this tool to create lists > of ip ranges for individual countries: > > http://www.locolomo.org/pub/src/toolbox/inet.pl > > if you're in US then it may not work since some US companies have ranges > delegated directly by IANA rather than ARIN, but these are few so it's > easy to add ranges manually, check the list here: > > http://www.iana.net/assignments/ipv4-address-space/ipv4-address-space.xml thanks, will look at this > - why allow password based authentication? disable password based > authentication and rely on keys, then you can ignore all the brute force > attempts. I don't allow password based authentication. > - above not a solution? See if you can tweak the sshd_config: > > MaxAuthTries > MaxStartups > > can slow down brute force attacks preventing it from sucking up resources. also a good idea, will look at this. > Disable root login, restrict login to real users, if you have a group > "users" just restrict to that using AllowGroups. yes, this is in place. > - trying to block individual offending hosts is futile, the attacker > will usually try maybe a 1000 times, but the next one will likely come > from a different address. I guess this answers my question most directly. >From all the replies I got so far I gather that /etc/hosts.allow exists a historical heritage and no real use is made of it nowadays. Although some people appear to like it (e.g. Samuel Martín Moro). many thanks for your help and support. anton -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423 _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
