Kevin McAllister on 12 Jun 2009 05:14:40 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH in general

On Jun 12, 2009, at 7:53 AM, Edmond Rodriguez wrote:

Within days someone tried to log on to my machine over 30,000 times in about one hours time.

Most of it automated jiggle the door handle type of scripts.  It's amazing how much you can cut down on this with the simple expedient of using a non-standard port for ssh.

What I found surprising was that ssh by default did not recognized this rapid fire attempt to log on my machine and create some sort of delay between each attempt. 

I guess all the configurations that have been written about recently help prevent such password guessing games.  I guess they eliminate the idea of an unknown machine trying to log on.  If possible at all, do they limit the number of times an unauthorized person can try to log on?

While there are tools that were mentioned on this thread that will null route or use iptables to block this type of stuff sshd does have a configuration item called MaxStartups which is used to limit the number of unauthenticated connections it will allow to be open.  This can limit the impact to a running machine of resources used to reject ssh probes.  

Of course it could work against you to deny your service if there is a probe ongoing and you would like to log in.  But I've been using a pretty aggressive setting for MaxStartups for years and never was unable to log in when I had wanted.  I think the scripts that try rapid dictionary attacks probably are used to being shutdown by those rejection scripts and when they start getting dropped by MaxStartups just move on. 

Kevin McAllister

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --