[conspire] Ongoing dictionary attacks on SSH daemons

Bill Moseley moseley at hank.org
Fri Oct 1 22:29:00 PDT 2004


On Fri, Oct 01, 2004 at 10:27:09AM -0700, Rick Moen wrote:
> Those of you running SSH daemons, be aware that there have been BIG 
> sets of "dictionary attacks" on SSH servers all over the world, going 
> on for the last couple of weeks.

Feels like months.  I'm almost ready to have my logcheck ignore those.

So where are these attacks coming from? I've just assumed they are
owned machines sending out bulk attempts so haven't tried to track
them down.

> You may wish to consider disabling password authentication and using
> only SSH keypairs, as well as restricting which IPs are allowed to
> connect for inbound SSH.

I've disabled only root login.  I'd like to keep password access for
other accounts as I don't always have my private key.  Been thinking
more about port knocking lately.  Every set that up?

> Also worth considering is sshd-sentry:
> http://linuxmafia.com/pub/linux/security/ssh-dictionary-attack-blacklist

Thanks for the link.


-- 
Bill Moseley
moseley at hank.org





More information about the conspire mailing list