Some of you running ssh on externally reachable have probably noticed numerous attempts in the past few months to log in to various accounts via ssh. This is apparently a brute force automated attack trying well-known account names, weak passwords, etc. One way to mitigate this is to make sure you're using strong passwords and changing them with some regularity. But can you be sure all your users are doing the same?
If you can, you probably should limited ssh access to specific hosts, but this is often impossible and might not stop determined spoofing attacks. If you can, you should probably limit ssh authentication to using RSA/DSA keys instead of password-based login. See http://marc.theaimsgroup.com/?l=openbsd-misc&m=110367957829708&w=2 for info. You may still want to block attack attempts, though, and convince automated attack scripts to stop trying. Some OpenBSD folks posted scripts to check /var/log/authlog for attacks and add those IPs to a pf firewall filter table dynamically. Not all of my machines with a reachable ssh are OpenBSD but they all run tcp wrappers. So I modified those same scripts to dynamically add attack source IPs to /etc/hosts.deny . You can find more my script at http://www.scottharney.com/blog/2005/01/03#ssh_blocker_wrap-sh -- Scott Harney <[EMAIL PROTECTED]> "Asking the wrong questions is the leading cause of wrong answers" gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
