[SoCoSA/discuss] blocking brute force attacks

Trevor Benson tbenson at a-1networks.com
Thu Nov 29 09:01:09 PST 2007 

If you don't need open SSH access to the server from anywhere I would suggest creating a management group of IP's and use that in iptables to make an allow ssh rule, then deny from all other IP's.  If you cannot do a management group other article with recent and timed connections is a really good way to limit the amount of brute force attacks, however you will likely still get large amounts of logs with ssh attempts, just not as many as a totally public host.

Trevor

> -----Original Message-----
> From: discuss-bounces at socosa.org [mailto:discuss-bounces at socosa.org] On
> Behalf Of Sean
> Sent: Wednesday, November 28, 2007 11:44 PM
> To: 'discuss at socosa.org'
> Subject: [SoCoSA/discuss] blocking brute force attacks
> 
> I'm new to this group, and I'm hoping to meet other members at the next
> meeting.
> 
> I'm still feeling my way a bit regarding the finer points of linux
> security (Debian Etch in my case), and I'm hoping that some of you can
> point me in a good direction on this.
> 
> My public IP servers periodically get attacked via brute force login
> attempts (FTP and SSH). I've attempted to solve this in the past using
> hosts.deny, but it ended up causing too many unwanted positives and
> was somewhat difficult to unblock an IP. Would you mind sharing with
> me what you've found to be effective? It's obviously hard to
> impossible to block non-us IPs from connecting via ftp or ssh, as I
> couldn't find anything on this other than what turned into a two-way
> flame war.
> 
> If any of you have suggestions, or links I can read, I'd appreciate
> it. If you think hosts.deny would be a good option, I can always
> re-visit it and take another look at the configuration options.
> 
> Thank you!
> 
> 
> Sean
> 
> _______________________________________________
> SoCoSA discuss mailing list
> discuss at socosa.org
> Your address: tbenson at a-1networks.com
> http://socosa.org/mailman/listinfo/discuss
> http://socosa.org/mailman/options/discuss/tbenson%40a-1networks.com

More information about the discuss mailing list