On 03/08/07, Boaz Rymland <[EMAIL PROTECTED]> wrote: > > Amos Shapira wrote: > > > Possible ways to handle: > > 1. Change port as others suggested - works great for me. > 2. Make sure you can only authenticate using public/private keys. > 3. Install "denyhosts", which adds attacking IP's to /etc/hosts.deny based > on the sshd logs, also can synchronize info with other attacked hosts. > 4. Use iptables to limit number of attempts from each IP. > 5. Use iptables to slow down connections from attackers (target "TARPIT"). > 6. Install a honeypot and send the results to central sites which collect > such info. > > 7. Open SSH port to the needed IP(s) only: If you _don't_ need to SSH in > from "the world", you can limit access to the needed port based on the IP > address, or a range of IPs. E.g: iptables -A INPUT -s $ALLOWED_IP_SSH -p > TCP --dport $SSH_PORT -j ACCEPT >
True, though you have to be careful not to lock yourself out by limiting too much. That's why I've never implemented this myself. You can use the iptables geoip module to limit by country. Your suggestion reminded me: 8. Implement port-knocking. Still could limit you to access from machines from which you can do the port-knock (I think even careful use of "traceroute" might allow you do that when you don't access to a port-knocking client). --Amos
