On Fri, 13 Jan 2006 12:15, you wrote: > The first thing I'd do is to reboot your router... get a new IP address!
I have the same problem, but I am on cable and have a fixed IP. > Then I'd take Jim's recommendations about ssh ( openssh version 4 is now > freely available if your distro doesn't offer it yet, btw ), although I > still like using passwords. Creating a couple of users with random > passwords Indeed. I have port 22 open and forwarded to my server. I have two external users with strong passwords, and one automated login with an ssh key. > However, I wouldn't implement any IP address barring strategy, as it > makes you look like you've got something to hide, which will make them > try harder. There's even a case for having a dmz running on port 22, and > let them play, find there's nothing of use, and give up. Hmm. Nice idea, but once they get into the DMZ they are on your network and could get to other machines inside your network. (If not, why not?) > If you reboot your router on a regular basis ( we have power problems in > DH, and I'm tempted to leave it off the UPS so I don't have to remember > this ), then the problem gets more random ( ie they can't make a > concerted attack ), which is probably the safest way. Depends if you have a fixed IP, or if the dhcp server you are connected to likes to issue the same IP to you every time. > The last suggestion I could make is to drop ssh altogether ( or just let > it answer but never succeed to log in ), and implement an openvpn > solution instead. I think you end up with the same problem. You still have a way of getting in from the outside, and therefore someone will try and exploit it. Whilst I am typing this, Volker's reply has come in. I think he's pretty much covered it. I'd like to second the suggestion of port knocking- i.e. port 22 stays closed until certain other ports have been visited in a certain order. In answer to your original question "How can I spot this earlier?", you can't. You just need to be aware that if you are connected to the internet and have a port open then someone (or some 'bot) will have a go. Andy
