On Sun, 2005-04-10 at 08:54 -0500, David Hoffman wrote: > On Apr 9, 2005 6:43 PM, Robert Spangler <bms@xxxxxxxxxxxxxxxx> wrote: > > I will agree that for a script kiddy this will work, but for someone who is > > really trying to get in they will figure this out in a short time and then > > you are no longer protected. The best bet is to move to an unknown port. > > Sorry. Not true. If it is someone who knows that your system is there, > and seriously wants to get in, simply moving ports is not going to > stop them. It is very easy to see which ports respond to a connection > attempt, and when you find a port that responds, it is not difficult > to tell that it is an SSH daemon that you connected to. > exactly > Blocking access based on IP addresses is also not perfect, because > people who are intent on breaking in can simply try from another > address... but they you are talking about a big waste of resources > when you only get a few attempts before getting locked out. > > The method mentioned above does seem to make good sense because after > only a small number of unsuccessful attempts in a short time, they are > automatically blocked for a time. And the number of attempts or time > are configurable. > > The next best thing that can be done to this is to not only block them > for a period of time, but rather block them until a system > administrator manually unblocks them. > For a home user (and many businesses as well) it is common that remote access to a server is from one IP or a small subnet of IPs. For me that is from work, with a single firewall egress point, or from home with a static (fixed for over a year) IP. How static the home IP is depends upon your ISP. A combination of 2 approaches works well for me and has almost 100% blocked all the ssh attacks on my server. Which is not at my home. The timeout of 5 attempts in 5 minutes makes sure that those who can connect to ssh do not do so with an attack method. Only allowing access to SSH from a limited IP address range makes sure that only those at addresses I have approved are even allowed to touch ssh on the server. This may not work for those who are highly mobile, but even big organizations that use a DMZ for access from both internet and intranet use the address to limit those hosts that are allowed to connect to certain ports. > -- > > David > Registered Linux User 383030 (since everyone else was doing it 8-) > ----------------------------------------------------------------------- > There are only 10 kinds of people in this world, > those who understand binary, and those who don't. >
