[Tfug] Stopping repeated login attempts
Jeff Breadner
jeff at breadner.ca
Thu Jan 28 10:34:07 MST 2010
Glen Pfeiffer wrote:
> On 28 Jan 2010, Jon wrote:
>
>> On 28 Jan 2010, John Gruenenfelder wrote:
>>
>>> I second the use of DenyHosts. I'm using it on all of my
>>> machines with Net exposed SSH access. It is very fast and
>>> easy to set up and it works wonders against brute force
>>> attacks and will stop them in very short order.
>>>
>>>
> [snip]
>
>> No, no. no. According to some experts on this list you just
>> change the port number and your problem is solved. Why would
>> you want to *actually* fix the problem when you can just
>> "move" the problem hoping no one finds it again?
>>
>
> I actually haven't heard anyone recommend that changing the port
> is the only thing that should be done. Did I miss that? Or did
> you misunderstand?
>
>
That was pretty much the only recommendation that I made in an early
email. I didn't intend for anyone to think that it was the whole
solution. It's the only action I've taken because I have an
uninteresting site that probably won't be singled out for attack, and
the consequences of failure are low. Your reaction should vary
depending on a) how much time & effort it would cost to fix things
should you get hacked, b) how sensitive the information is being held
behind this SSH login, c) how high a profile target you are, and d) how
much time and expertise you're able to spend locking things down.
There have been some great suggestions given here that I was unaware of,
if something like DenyHosts is easy to set up & implement then I'll
probably install it.
Moving ports will not defend against you being singled out by a
moderately sophisticated attacker, but for me it does stem the tide of
all the "script kiddie" style unsophisticated attacks that tend to do
nothing but eat up log space.
cheers
Jeff
More information about the tfug
mailing list