{"id":2013,"date":"2008-09-24T21:28:33","date_gmt":"2008-09-25T00:28:33","guid":{"rendered":"http:\/\/www.hoogervorst.ca\/arthur\/?p=2013"},"modified":"2008-09-24T21:28:33","modified_gmt":"2008-09-25T00:28:33","slug":"ssh","status":"publish","type":"post","link":"http:\/\/www.hoogervorst.ca\/arthur\/?p=2013","title":{"rendered":"SSH"},"content":{"rendered":"<p><span class=\"dropcap\">I<\/span> read this article at SecurityFocus <a href=\"http:\/\/www.securityfocus.com\/infocus\/1876\">&#8220;Analyzing Malicious SSH Login Attempts&#8221;<\/a>, which apparently was written over 2 years ago. The article goes over some statistics collected over a period of 22 days and points out interesting things I&#8217;ve seen before too (in a previous life).\n<\/p>\n<p class=\"quote\">Combined with an army of IRC bots, an attacker only needs 525 Zombies to scan the entire IP4 of today&#8217;s public Internet in just one day. If you have a publicly accessible SSH server, you are very likely to be targeted by one of these attacks\n<\/p>\n<p>I used a combination of python scripts to hold off specific attacks: particularly the attacks that try hundreds of username and password combinations in only a couple of minutes (the brute force ones). The main script focused on keeping a count of attacks from a single IP (a maximum of 3 or 5 retries) and offenders were put on a 24 (or 48) hours waiting list, via the deny\/accept host files. If I remember correctly it was based on <a href=\"http:\/\/www.aczoom.com\/cms\/book\/export\/html\/13\">BlockHosts<\/a>. This worked extremely well and formed a good deterrent and first line defense, telling these script guys that (at least) someone cared about the server. Besides this, it is probably a good idea to only allow people who know SSH access to the server and consider enforcing a strict password policy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I read this article at SecurityFocus &#8220;Analyzing Malicious SSH Login Attempts&#8221;, which apparently was written over 2 years ago. The article goes over some statistics collected over a period of 22 days and points out interesting things I&#8217;ve seen before &hellip; <a href=\"http:\/\/www.hoogervorst.ca\/arthur\/?p=2013\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[169,170,340],"_links":{"self":[{"href":"http:\/\/www.hoogervorst.ca\/arthur\/index.php?rest_route=\/wp\/v2\/posts\/2013"}],"collection":[{"href":"http:\/\/www.hoogervorst.ca\/arthur\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.hoogervorst.ca\/arthur\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.hoogervorst.ca\/arthur\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.hoogervorst.ca\/arthur\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2013"}],"version-history":[{"count":0,"href":"http:\/\/www.hoogervorst.ca\/arthur\/index.php?rest_route=\/wp\/v2\/posts\/2013\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.hoogervorst.ca\/arthur\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.hoogervorst.ca\/arthur\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2013"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.hoogervorst.ca\/arthur\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}