Good suggestions so far, Another simple thing you can do to protect yourself against that sort of attack is setting the delay after incorrect login attempt higher. For a machine on the net consider 30-60 sec (or as much as you and your users are willing to tolerate). It'll be a bit more of a PITA for you when you mess up your log-in, but it'll _really_ slow down brute force / dictionary attack to the point where the majority will just move on to quicker/easier targets.
Remember, that sort of attack is a numbers game (slow business). The more permutations and combinations of stuff they can throw at you the more likely they will score in the end. The quicker they can retry, the faster their progress. ... and toughening up the passwords would certainly be on my to-do list. Marcel On Mon, 2005-02-21 at 23:54 -0700, Nick W wrote: > On February 21, 2005 10:53 pm, Michael Gale wrote: > > Hello, > > > > Reporting the activity will most likely not do any good since nothing > > has really come of the login attempts. You would have to prove that the > > connections are malicious beyond a resonaible doubt. Depending on your > > logs or traffic analyist this may or may not be possible. > > > > Also most ISP's are to busy to look into and police their network unless > > something concrete has happened. It is kind of like the stalking law ... > > not much can done until it is to late. > > > > I would suggest downloading the latest Openssh source 3.9 and build it > > from source. > > > > Also restrict what users can use SSH by setting the "AllowUsers" > > variable, also: > > > > PermitEmptyPasswords no > > StrictModes yes > > > > in addition, use a non-standard port when possible. Script kiddies don't have > much for brains -- just too much time. > > > Michael. > > > > Greg King wrote: > > > Hi folks, > > > > > > I have a RH9 system which is exposed to the internet by having a firewall > > > port forward SSH to it. Root login is disabled, and the few (4~5) > > > accounts that are on the box have passwords, although probably not as > > > hard as they should be. > > > > > > For the past few week I've noticed lots of attempts to logon using > > > various ids, most of which don't exist on the box. I've also heard that > > > SSH itself has known exploits which can result in nefarious types taking > > > control of a box. I don't believe the box is compromised yet, as tripwire > > > seems to be not finding any newly changed system files, but I guess worst > > > case tripwire itself could be compromised. My question is twofold: > > > > > > 1. How easy is it to compromise SSH (OpenSSH_3.5p1 which was the latest > > > one available when RH dropped auto update for RH9)? The RedHat site > > > doesn't have an upgrade after Sep 2003. > > > 2. Is it worth while to try to report this activity to abuse@ whatever > > > domain the IP is coming from? > > > > > > Regards, > > > Greg King > > > > > > > > > > > > > > > _______________________________________________ > > > clug-talk mailing list > > > [email protected] > > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > > > **Please remove these lines when replying > > > > _______________________________________________ > > clug-talk mailing list > > [email protected] > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > > **Please remove these lines when replying > > _______________________________________________ > clug-talk mailing list > [email protected] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > **Please remove these lines when replying _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
