On 06 24, 06, at 4:34 PM, a b wrote:
I'm actually running it to block brute-force attacks every 3mins
and it works fine.
Ah, so you have brute force attacks on you SSH port(s)? Well why
didn't you write so in the first place!
yes. but not just on my sshd server. :)
I recommend to reconfigure the sshd daemon to listen on another
*well known* port. That confuses 100% of the attackers (no more
brute force attacks).
- It's a workaround not a solution.
If the attacker starts banging on the other port, he or she will
try to bang on the appropriate service on that port, but since
there is something completely different listening, they can bang on
it 'till the cows come home.
they can use strobe or amap and see what's in there that you're running.
As a *theoretical* example, you could reconfigure sshd to listen on
port 443. So when the attacker tries an attack on port 22, he/she
will get zilch, because sshd isn't listening on that port any more.
can't do this. im running https service.
However, the scan will reveal that you have port 443 open. So the
attacker "knows" that you have an SSL httpd listening on that port.
Except it's sshd instead! Imagine all the time they will waste with
SSL based attacks... on sshd!
let me re-phrase my question. can ipfilter do a connection "ratelimit" ?
Jett Tayer
