On Sun, May 27, 2007 at 08:02:29 -0400, Tom Rivers <tom@xxxxxxxxxxxxxxxxx> wrote: > On Sat, 2007-05-26 at 13:16 -0700, Wolfgang S. Rupprecht wrote: > > Such programs help you save the CPU time of sshd answering the > > connection from a single abusive host, but would do little against a > > distributed botnet attack. Luckily botnets aren't really used against > > sshd yet, but it they were you'd potentially be seeing distributed > > guessing attacks from 10,000 different hosts. If they all took turns > > to guess a single password in round-robin fashion, the filters would > > never trip. > > You're right. What do you recommend to protect against this sort of > attack? A good relationship with your ISP. 10K hosts could just swamp your link and you will need upstream help to block it before it gets to your link. If you are worried about slow guessing attacks from multiple IPs, the same advice previously give will work. Either use strong passwords or public keys for authentication. (Presumably, if you are asking this question there isn't a small set of IP address that legitimate ssh connections can come from.)
