I read this article at SecurityFocus “Analyzing Malicious SSH Login Attempts”, which apparently was written over 2 years ago. The article goes over some statistics collected over a period of 22 days and points out interesting things I’ve seen before too (in a previous life).

Combined with an army of IRC bots, an attacker only needs 525 Zombies to scan the entire IP4 of today’s public Internet in just one day. If you have a publicly accessible SSH server, you are very likely to be targeted by one of these attacks

I used a combination of python scripts to hold off specific attacks: particularly the attacks that try hundreds of username and password combinations in only a couple of minutes (the brute force ones). The main script focused on keeping a count of attacks from a single IP (a maximum of 3 or 5 retries) and offenders were put on a 24 (or 48) hours waiting list, via the deny/accept host files. If I remember correctly it was based on BlockHosts. This worked extremely well and formed a good deterrent and first line defense, telling these script guys that (at least) someone cared about the server. Besides this, it is probably a good idea to only allow people who know SSH access to the server and consider enforcing a strict password policy.

This entry was posted in Ordinateurs and tagged , , . Bookmark the permalink.