On Tue, May 10, 2005 at 07:33:15PM -0600, Sancho2k.net Lists wrote: > I configure my sshd to only allow public key-based authentication. I use > 1024 bit DSA keys and SSHv2 only. They can try brute forcing the box for > centuries if they want, and they won't come any closer to getting in. I > personally don't see a huge point to blocking attacks, but only if > you're set up securely.
Disallowing password authentication isn't something that works for
everyone (along with port knocking, running SSH on an odd port, etc). I
run a server which allows public access to many people. I try to make
sure passwords are secure and SSHv1 is disabled, but I really can't be
locking down any more severely.
With an automated script, it can cut the attacks short while at the same
time alerting me to the attack. Why risk it?
> Users that allow SSHv1 or allow password auth and use weak passwords,
> now that is an issue to worry about, but you've got bigger problems on
> your hands.
Primarily my reason for using login_sentry is it emails me when an
attack is occuring. This provides me with an opportunity to
whois/reverse DNS the name and figure out where the attack is coming
from. If it is from a US/UK/Likely English Speaking/Likely to Care ISP
I will report it to their abuse desk.
In almost all of these cases the machine in question has been
compromised and is being used by a 3rd party cracker to scan for more
vulnerable boxen (creating botnets). If you, as an admin, are willing
to spend 5 minutes reporting these attacks you've potentially shut down
zombie boxes and you are doing the administrator and the ISP a huge
favor.
--
/--------------- - - - - - -
| Dan Noe, freelance hacker
| http://isomerica.net/
pgpqqa4Vq1utS.pgp
Description: PGP signature
