Dan Mahoney, System Admin wrote:
I've looked around and found several linux-centric things designed to
block brute-force SSH attempts. Anyone out there know of something a bit
more BSD savvy?
My best attempt will be to get this:
running and adapt it.
I've found a few things based on openBSD's pf, but that doesn't seem to be
the default in BSD either.
Well, this is not really an answer, yet as you bring it up,
SecurityFocus had an article last week on this:
Along with some good advice. First of all: ssh is not a public service
like http or smtp where you need anyone to be able to connect. So don't
let them in the first place.
Disable direct root login, in the article more than a third attempted to
login as root. Disable shell access for service accounts such as mysql,
www or ldap.
Use a scheme for choosing usernames that avoids common names like
"james" and avoid publishing usernames on web-sites, e-mail may differ
from the username.
Disable password based authentication and require ssh-keys if possible,
best if you can ensure both pasword and key based authentication.
You may still find sshd login denied entries in your log - so what? it
was denied! This is really only a problem if the traffics saturates your
connection, or your log files grow so much that you run out of diskspace.
The article also comments on moving ssh to a different port, but this
causes confusion and annoyance if you have many users and is
non-standard. Doing the other things works great, an ssh-key on a
usb-keyring is great.
Personally, I created a script for parsing the delegated files from the
different regional registries such as only to allow connection from EU
Since then, I get at most one attempt a week, few enough to manually
look up the ip with whois and decide if the host or network should be
Ph: +34.666334818 web: http://www.locolomo.org
X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt
Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"