Re: [PLUG] Anyone else seeing a surge of SSH attempts from US IPs?

[Rich Kulawiec <rsk@gsp.org>]

On Sun, May 26, 2019 at 01:59:03PM -0400, Greg Helledy wrote:
> In the past, our servers would get maybe one SSH password attempt a week,
> usually from China or another far-off corner of the internet.  We
> automatically block these after a few tries.

Why not pre-emptively block all those "far-off corners" permanently?

If you know a priori that zero valid SSH attempts will originate
from Chinese IP space, then firewall all of it and drop their TCP
connections silently.  This is much more effective than waiting for
the attacks to come and then reacting after-the-fact.  (Same for
other countries.  And if the number of countries becomes a majority
of all countries, then invert the ruleset and only allow incoming
connections from the ones you need to.)

Not only does this keep some of the cruft out of your logs, but
it's a form of insurance against the day when an account is compromised.
The attackers may be in possession of the (host, username, password)
triplet required to access that account, but now their lives are
made more difficult because they have to figure out where their
connection has to originate.  Sure, this is a solvable problem but
unless they're specifically targeting that single account (and most
attackers are working at scale with accounts en masse) they're not
going to even bother trying.

---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug