[Tfug] Stopping repeated login attempts

Jeff Breadner jeff at breadner.ca
Thu Jan 28 10:34:07 MST 2010


Glen Pfeiffer wrote:
> On 28 Jan 2010, Jon wrote:
>   
>> On 28 Jan 2010, John Gruenenfelder wrote:
>>     
>>> I second the use of DenyHosts.  I'm using it on all of my 
>>> machines with Net exposed SSH access.  It is very fast and 
>>> easy to set up and it works wonders against brute force 
>>> attacks and will stop them in very short order.
>>>
>>>       
> [snip]
>   
>> No, no. no. According to some experts on this list you just 
>> change the port number and your problem is solved. Why would 
>> you want to *actually*  fix the problem when you can just 
>> "move" the problem hoping no one finds  it again?
>>     
>
> I actually haven't heard anyone recommend that changing the port 
> is the only thing that should be done. Did I miss that? Or did 
> you misunderstand?
>
>   

That was pretty much the only recommendation that I made in an early 
email.  I didn't intend for anyone to think that it was the whole 
solution.  It's the only action I've taken because I have an 
uninteresting site that probably won't be singled out for attack, and 
the consequences of failure are low.  Your reaction should vary 
depending on a) how much time & effort it would cost to fix things 
should you get hacked, b) how sensitive the information is being held 
behind this SSH login, c) how high a profile target you are, and d) how 
much time and expertise you're able to spend locking things down.

There have been some great suggestions given here that I was unaware of, 
if something like DenyHosts is easy to set up & implement then I'll 
probably install it.

Moving ports will not defend against you being singled out by a 
moderately sophisticated attacker, but for me it does stem the tide of 
all the "script kiddie" style unsophisticated attacks that tend to do 
nothing but eat up log space.

cheers
  Jeff




More information about the tfug mailing list