[Intrusions] brute force attack - tcp wrappers and iptables not helping?
Chris Brenton
cbrenton at chrisbrenton.org
Wed Apr 27 19:37:47 GMT 2005
On Fri, 2005-04-22 at 19:30, dk wrote:
>
> Merton Campbell Crockett wrote:
> > For the last year, there have been continual probes for open ssh ports.
> > They have not been subtle. It is not unusual to see several hundred
> > different root passwords being attempted on a single pass.
>
> Ditto here. I have a collection of 100 or so IP's (quiet subnet I guess)
> I've blocked in the last months. As I only allow certain users (only
> with keys) to log in, it is a fairly easy script to suck out the
> offenders from the logs and block them via iptables... Which I've done
> with success.
I used to do this, but don't bother anymore. As others have chimed in,
just change the listening port to something else ( maybe in the
20000-30000 range) and be done with it. I did this about a year ago and
have see _zero_ brute force attacks. Yes the server still needs to be
patched, and yes you still want to use good authentication. With such an
easy fix (assuming you can change legit clients to target the new port),
why bother dealing with the overhead involved with these attacks.
HTH,
Chris
More information about the Intrusions
mailing list