Re: [CentOS] sshd: Authentication Failures: 137 Time(s)
> Hi, > > to prevent scripted dictionary attacks to sshd > I applied those iptables rules: > > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent > --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set > --name SSH --rsource What I have done to totally thwart script-kiddy attacks against SSH is to 1) Move sshd to another port, one higher than 5000 2) configure SSH for RSA-KEY authentication ONLY IE no PAM auth 3) Set up Fail2Ban to auto ip-table block ANY offending IPs after 5 tries. Script kiddies assume ssh is on port 22, and mosr posr scans don't go as high as 5000. Since I implement this strategy a month ago, I have seen ZERO attempts against SSH > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sshd: Authentication Failures: 137 Time(s)
> Introducing a Hawk helped us a lot. Tools like Hawk and fail2ban are quite > useful, actually only thinks like that have good impact on the bruteforce > attempts. Indeed! I run Fail2Ban not only against SSH, but against SMTP/AUTH and IMAPS/POP3S (the only client mail protocols we support). It's amazing how many dictionary attacks take place against SMTP by persistent spamers! Besides the effect against dictionary attacks, it makes the morning reading of the secure log a pleasant experience. :-) However, moving to a non-standard SSH port has had a profound effect on the attempts. It's a triple whammy for the script kiddies. Find the port if you can, then you get 5 tries at a non-existent username/password before your packets get dropped on the floor, and you are totally blocked from the entire system for an hour. Bob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
