On Fri, 2005-11-04 at 12:16 +0100, Thomas wrote: > Hello there, > > recently, i can see ofthen brute force attacks in my ssh logfile. > A friend of mine, who has the same ISP gets the same bruteforce attacks. > > What would be an adequate reaction to repeated ssh bruteforce attacks? > > Should i contact the owner of the attackers ip address? > Should i do something else?
Not much you can do about the probes-- they will happen, and blocking them on a case by case basis is futile. Some things that will help: firewall and/or use tcp wrappers (man hosts_access) so only certain hosts can connect change the port ssh listens on (yes obfuscation it is not real security, but these are scripted attacks which don't check other ports-- will *greatly* reduce the number of attempts-- and you'll know that if you get a probe on that port, the attacker probably is serious (ie it may not be a scripted attack, but rather a directed attack)) disable password authentication and use keys exclusively disable root logins entirely see 'man sshd_config' for how to do the last three -- James Strandboge [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
