my server is being hit by an ever increasing number of brute force attacks via ssh (at least 20 a day…that might not seem like a lot for some of you but it’s plenty for my wee machine that’s connected with a domestic adsl line)…check /var/log/secure and /var/log/messages for connect attempts.
the best way to deal with this? well obviously don’t allow root to login over ssh, allow connections using ssh2 only and of course use strong passwords. you could change the default port from 22 to something else too. there are other, more restrictive, methods but i won’t go into them here.
my favoured solution? denyhosts. been running it for 5 years or so…it monitors your logs and blocks ip addresses based on rules that you can tweak to suit your needs. it can also sync your hosts.deny file with a list of known attackers thus not even giving them the chance to connect. genius. on a debian-based system (i’m running debian 5) it can be installed with apt-get install denyhosts it can then be configured using your favourite editor joe /etc/denyhosts.conf see the denyhosts faq for options. after that it basically takes care of itself…you can, however, set it to email you every time a new host is blocked…set this up and watch the ip addresses roll in…
1 Response to “stop brute force ssh attacks fast”