... Sigh ......

[Ken Moffat]

Bill Campbell wrote:
> On Thu, Jul 24, 2008, Ken Moffat wrote:
>   
>> Ben Duncan wrote:
>>     
>>> Me to person setting up my Web Server:
>>>
>>> Dont' ya think we outta move the sshd port to a unknown port and
>>> use psk ?
>>>
>>> person setting up web server:
>>>
>>> naw, I never have had any problems .......
>>>
>>> Me at 3 PM yesterday:
>>>
>>> Ok, I'll turn sshd on with passwords .
>>>
>>> Me at 12 noon today:
>>>
>>> &$%^@#%$!(@&#$^!)#$%^)!@(#%$&%^ ...
>>> after seeing that someone launched a dictionary attack JUST
>>> 6 hours I set up sshd - that ran for 8 hours against my server ...
>>>
>>> ME to web person: sshd has been moved to port #### and WE will be using
>>> psk starting tommorow ......
>>>
>>> Web Person: Your $HITTING me, I never had any problems before ....
>>>
>>>       
>> Have you tried "denyhosts"? Catches dictionary attacks and adds the
>> attacker to /etc/hosts.deny.
>>     
>
> That's one approach, but it may fill log files with rejection messages.
>
> The fail2ban program can automatically add iptables entries to deny hosts
> that appear to be making attacks, automatically removing the block after a
> specified period of time.  It also can track multiple log files and/or
> patterns so works against a wide variety of attacks (I see many attacks
> against POP and IMAP as well).
>
> My solution to web persons is to require they use OpenVPN to connect to our
> servers, and only permit ssh access with authorized_keys, no passwords.
>
> Bill
>   

denyhosts does add and remove offending ip's, but not sure about
multiple log files, and pop/imap is a great feature. Willl check it out.
Thanks.

Ken