csnyder wrote:
I've noticed a marked increase in dictionary attacks against sshd lately -- tens or even hundreds of connection attempts from the same IP address within a short timespan.
I wrote a script that creates firewall rules to drop packets from IPs with more than n login failures over the last 10 minutes, but it's a half-measure -- in the minute it takes for cron to get to it, an attacking script can try a lot of different passwords, even with MaxStartups set low.
How do you protect your servers from this kind of attack? Especially on where you can't enforce a strict password policy or make everyone use keys?
I have mentioned before that I use tcpwrappers (somewhat against the comment in /etc/hosts.allow) to only allow sshd to accept connections from known IP addresses on all my servers save one.
If for some reason I'm on a "foreign" network and need to get in, I have to go through the open box to get to the others. (I can see that this might not work so well if you have dozens of people who need sshd access....)
But, like Lowell says, this doesn't seem to be the most effective attack, as it generally is trying a few combinations for "admin", a few for "root", etc., and then moving on ... I'm not sure how much effort you need to expend on it; although if you're running a lot of shell services to the outside, I can feel some of your pain....
HTH,
Kevin Kinsey DaleCo, S.P. _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
