... Sigh ......

[Bill Campbell]

On Thu, Jul 24, 2008, Ken Moffat wrote:
>Ben Duncan wrote:
>> Me to person setting up my Web Server:
>>
>> Dont' ya think we outta move the sshd port to a unknown port and
>> use psk ?
>>
>> person setting up web server:
>>
>> naw, I never have had any problems .......
>>
>> Me at 3 PM yesterday:
>>
>> Ok, I'll turn sshd on with passwords .
>>
>> Me at 12 noon today:
>>
>> &$%^@#%$!(@&#$^!)#$%^)!@(#%$&%^ ...
>> after seeing that someone launched a dictionary attack JUST
>> 6 hours I set up sshd - that ran for 8 hours against my server ...
>>
>> ME to web person: sshd has been moved to port #### and WE will be using
>> psk starting tommorow ......
>>
>> Web Person: Your $HITTING me, I never had any problems before ....
>>
>
>Have you tried "denyhosts"? Catches dictionary attacks and adds the
>attacker to /etc/hosts.deny.

That's one approach, but it may fill log files with rejection messages.

The fail2ban program can automatically add iptables entries to deny hosts
that appear to be making attacks, automatically removing the block after a
specified period of time.  It also can track multiple log files and/or
patterns so works against a wide variety of attacks (I see many attacks
against POP and IMAP as well).

My solution to web persons is to require they use OpenVPN to connect to our
servers, and only permit ssh access with authorized_keys, no passwords.

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

Those who profess to favor freedom, and yet depreciate agitation, are
men who want rain without thunder and lightning.  They want the ocean
without the roar of its many waters.  -- Frederick Douglass