At 03:57 PM 11/11/2005, Joachim Schipper wrote:
On Fri, Nov 11, 2005 at 04:44:46PM -0500, stan wrote:
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the password for root.
>
> Any sugestions as to how to deal with this? Change the port ssh is
> listening on maybe?
PermitRootLogin no?
AllowUsers me?
AllowGroups ssh-users?
PasswordAuthentication no?
Port XYZ?
# passwd?
or maybe something like this (untested):
If your running pf:
First add a line to create a persistent table:
table <attackers> persist
and a block rule like this
block in quick from <attackers>
then add a rule like this....
pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state
(max-src-conn-rate 3/10, overload <attackers> flush)
basically it says if an IP tries to connect more then 3 times in 10 seconds
add them to the attackers table, which is blocked of course.
-JD
--
J.D. Bronson
Information Services
West Allis Memorial Hospital
Aurora Health Care - Milwaukee, Wisconsin
Office: 414.978.8282 // Fax: 414.977.5299
Microsoft Gives you Windows || Unix Gives you a home
