|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: "ssh" attacks
From: Smith (smith
confuciun.com)
Date: Wed May 31 2006 - 20:12:10 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This has been asked before, and I tried many of the suggestions given
especially with pf (max-src-conn). But the simplest way to stop this,
is to change your ssh port. You can do all that tweaking in pf but your
logs will still show that someone tried, just that your logs will be
smaller. But change the port and you'll see no attempts whatsoever.
This is my experience. I agree with what this guy below says. I too
ended up only allowing certain IP addresses to ssh into my servers but
this is troublesome when you're at a new location and that location has
a dynamic address. I ultimately changed the port number and the only
inconvenience to me was remembering the new port number.
>
> I blocked these guys by various means and watched what happened for a
> while. Sometimes there were lots of scans and other times there were
> only a few per day. But they were all hit and run scans, from IPs all
> over the place. You're going to fill your tables with IPs that aren't
> coming back. Pf does a fine job with tables, and my boxes never got slow
> or low on memory. But why waste resources for nothing? At that point
> you're really doing the same job as pflog.
>
> I ended up using a table for IPs allowed to ssh, others are blocked.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]