On Sunday, 10.07.2005 at 17:06 -0400, Craig Russell wrote: > >I'm receiving a few hundred failed ssh login attempts per day. I'm > >not worried about it, since they appear automated and ssh is locked > >down appropriately. I'd like to be able to IP ban these connections > >after a set number of failed login attempts. I'd rather not put ssh > >on a nonstandard port since I'd need to specify it on the cli every > >time I ssh (right?). Does anything have any insight into how I might > >go about achieving this? > > You could also investigate 'port knocking.' Basically whaat this > means is that you stop the sshd entirely and you have another process > running that waits for a specific group of connections and then it > spawns the sshd daemon and allows connection from the ip address that > 'knocked.' The knock doesn't give any kind of response other than > enabling ssh for the ip address so anyone scanning the machine will > simply get dropped connections for those ports. I am having a similar > issue to yours and I believe port knocking to be a viable solution, > just haven't had the time to implement it.
This is correct, except that typically the sshd is always running, just firewalled-off from the world. The correct 'knock' opens up the ssh port to the knocking IP ... Dave. -- Please don't CC me on list messages! ... Dave Ewart - [EMAIL PROTECTED] - jabber: [EMAIL PROTECTED] All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
signature.asc
Description: Digital signature
