Mailinglist Archive: opensuse (1570 mails)

< Previous Next >
Re: [opensuse] Coordinated, distributed ssh attacks?
  • From: Joop Beris <j.beris@xxxxxxxxxxxxx>
  • Date: Mon, 5 Oct 2009 14:45:08 +0200
  • Message-id: <200910051445.08737.j.beris@xxxxxxxxxxxxx>
On Sunday 04 October 2009 09:16:32 Hans Witvliet wrote:
On Sat, 2009-10-03 at 19:28 -0500, David C. Rankin wrote:
Have you moved ssh to a high port yet? If you do, all noise on your ssh
port will cease. Worth its weight in gold!

Untill they do a full nmap, and decide that if it's a unix machine and
port-22 is not there, it might be worthwhile scanning port 2222 or so..

It's what my cert-team calls: "security through obscurity"


Fail2ban is your friend: http://www.fail2ban.org/wiki/index.php/Main_Page

I use it to protect my home server against SSH and Apache attacks. Works like
a charm and I don't have to use the "security through obscurity" approach by
running my ssh daemon on a different port. Sure, it will stop scripted
attacks, but it breaks rsync et al.

I used to run denyhosts before, but Fail2ban can also check for other attacks,
like authentication to Apache without much configuration. Hosts that attack
me, get locked out for 24 hours, which seems long enough to convince them to
stay away. For real serious offenders, which come once a month or so, I
permanently block them by adding them to /etc/hosts.deny.

HTH,

Joop

------------------------------------------------------------
Dit bericht is gescand op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.
Mailscanner door http://www.prosolit.nl
Professional Solutions fot IT

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >