Mailinglist Archive: opensuse (1570 mails)

< Previous Next >
Re: [opensuse] Coordinated, distributed ssh attacks?
  • From: John Andersen <jsamyth@xxxxxxxxx>
  • Date: Mon, 05 Oct 2009 14:32:33 -0700
  • Message-id: <4ACA65F1.5060002@xxxxxxxxx>
Greg Freemyer wrote:
On Mon, Oct 5, 2009 at 2:46 PM, John Andersen <jsamyth@xxxxxxxxx> wrote:
Joop Beris wrote:
On Saturday 03 October 2009 17:16:09 Per Jessen wrote:

I've just remembered the only drawback - using rsync, scp and others who
use ssh under the covers does become a little tiresome, but I think
both rsync and scp have environment variables that'll set a usable
default so you don't have to specify the new port all the time.
Fail2ban is your friend: http://www.fail2ban.org/wiki/index.php/Main_Page

I use it to protect my home server against SSH and Apache attacks. Works
like
a charm and I don't have to use the "security through obscurity" approach by
running my ssh daemon on a different port. Sure, it will stop scripted
attacks, but it breaks rsync et al.

HTH,

Joop
You've misinterpreted the entire thread. �Slow distributed ssh attacks
go right thru Fail2ban, because they don't hit you from the same address
and they don't hit you in quick succession.

So is it also true that denyhosts is failing to block these attacks?
Even if you pull down rogue IPs from the denyhosts central DB?

Thanks
Greg

Its a distributed attack. They might not EVER contact you twice
from the same IP.

Deny hosts is a losing battle.
Allow hosts only works for specific static ips.

Publickey is the only reasonable approach that I can see.
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >