From: "Tom Rivers" <tom@xxxxxxxxxxxxxxxxx>
On Sat, 2007-05-26 at 13:16 -0700, Wolfgang S. Rupprecht wrote:
Such programs help you save the CPU time of sshd answering the
connection from a single abusive host, but would do little against a
distributed botnet attack. Luckily botnets aren't really used against
sshd yet, but it they were you'd potentially be seeing distributed
guessing attacks from 10,000 different hosts. If they all took turns
to guess a single password in round-robin fashion, the filters would
never trip.
You're right. What do you recommend to protect against this sort of
attack?
You could detect a large number of ssh failures total within a short
period of time and lock out ssh altogether for a period of seconds. That
would be a use for your script. Of course, it would leave you stuck with
a DoS condition. Now, if you figure out how to do it you open a second
ssh daemon on a different port you know but is randomly numbered. So if
you are DoSed out of the box you go to the security through obscurity
port that's been opened up. (Of course, that port should have the same
rules as the primary ssh port.)
{^_^}