[SoCoSA/discuss] blocking brute force attacks
E Frank Ball III
frankb at frankb.us
Thu Nov 29 11:41:41 PST 2007
On Wed, Nov 28, 2007 at 11:44:14PM -0800, Sean wrote:
>
> My public IP servers periodically get attacked via brute force login
> attempts (FTP and SSH). I've attempted to solve this in the past using
> hosts.deny, but it ended up causing too many unwanted positives and
> was somewhat difficult to unblock an IP. Would you mind sharing with
> me what you've found to be effective? It's obviously hard to
> impossible to block non-us IPs from connecting via ftp or ssh, as I
> couldn't find anything on this other than what turned into a two-way
> flame war.
You've had a lot of good suggestions. I use a combination of them:
Use a non-standard port. This is highly effective. I use ports in the
9XX range. I let ssh run on port 22 and translate this in my firewall,
so inside the firewall things are all normal.
If possible require ssh key pairs. This is highly effective, but not
always practicle.
Use "denyhosts" to block repeated failed attempts.
You can block a good subset of non-US/Canada IP in hosts.deny, it isn't
100%, but it's a big percentage:
# APNIC
sshd: 58. 59. 60. 61. 116.0.0.0/6 120.0.0.0/6 124. 125. 126. 202. 203. 210. 211. 218. 219. 220. 221. 222.
# LANIC, afriNIC
sshd: 186. 187. 189. 190. 200. 201. 41. 196.
# RIPE 80.0.0.0/4 = 80. thru 95.
sshd: 62. 77. 78. 79. 80.0.0.0/4 193. 194. 195. 212. 213. 217.
In the sshd_config file you can restrict users and IP addresses with the
AllowUsers line.
--
E Frank Ball frankb at frankb.us
More information about the discuss
mailing list