> -----Original Message----- > > I would disagree a bit. Denying access after a small number of > > unsuccessful logons effectively reduces the bandwidth of > anyone attempting > > a brute force attack, script kiddie or pro. Changing ports > may hide you > > from script kiddies but not from a pro. > > Not so sure I would agree with this. If they are hammering > you then yes. But > if they watch their logs then they will see that after X > attempts they are no > longer getting a reply then they could (at least I would) add > time in between > requests. Sooner or later they will find the right time > intervals and they > are back in business again. > > Ex; you set a 5 attempt/5 minutes. they change this script > to wait 61 sec > between attempt they are back in business. Exactly - you've reduced their bandwidth, exactly the same as the standard logon daemon does - so many command line login failures and it sleeps for a while. In a brute force attack bandwidth is key, reduce it and generally the attacker will move to an easier target. The current crop of SSH script kiddies will definitely move on. A determined (and capable) attacker can always carefully time their attacks (and use multiple IPs), but you've made it much harder (i.e. slower). So you slow them down, you insist on good passwords, and you check your logs. And if it's reasonable you change ports - but security through obscurity alone is generally a Bad Idea. Brian
