On Mon, Oct 03, 2005 at 04:54:14PM +0100, Jon Dowland wrote:
On Mon, Oct 03, 2005 at 10:14:58AM -0500, Steve Block wrote:
I looked at my logs and found that every one of these attacks used
password authentication when trying to authenticate to the server.
This gave me the idea that I could disable password authentication
while leaving the keyboard-interactive (through pam) and public key
based systems active.
Am I right in assuming that the password based scripted login attempts
will fail even if they somehow (heaven forbid) guess a valid password?
Is there an easy way to test this?
Are you still getting a long list of dictionary attack attempts in your
logs?
Good question. I looked at the logwatch analysis from before I made the
change and after. Before I made the change the list of failed or illegal
login attempts were reported as one of
faileduser/password from ip.addr.
or
faileduser/none from ip.addr.
From the logs I've looked at after I changed my SSH configuration, I now
only see the latter, perhaps because the password authentication method
is no longer available.
So does this seem like a viable way to avoid the current generation of
SSH attacks? Of course nothing is bulletproof but am I actually more
secure than before?
--
Steve Block
http://ev-15.com/
http://steveblock.com/
[EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
