Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the 'Disable ssh access for password-guessing bots' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Disable ssh access for password-guessing bots
Authored by: tempel on Oct 10, '08 08:45:45AM

And I disagree with you. The bots I've seen attacking public ssh servers at random do _not_ scan all ports but just go for the easy route. Sure, if some hacker is dedicating all its time to crash just your machine, he's going for the port scan route for sure, but the poster here tries to get rid of the random and dumb attempts, which are the major and most common annoyonce for a public server.

[ Reply to This | # ]
Disable ssh access for password-guessing bots
Authored by: zadig on Oct 10, '08 09:04:48AM

Perhaps I read the original hint wrong, then. It didn't seem aimed at preventing the messages from appearing (which your suggestion would definitely help with), but the poster seemed to want to ban machines that try and fail too many times, which seems like a security issue.

I have no problem with securing your machine against general, automated scans/attacks, but I'd rather secure it against targeted manual attacks too, which obscurity doesn't do. That's why locking out password auth seemed like a better solution to me.

This doesn't change the basic question: how to keep the Mac safe from brute-force password attacks. Safest thing is disable SSH altogether. Next safest is enable SSH but block the connections from the outside world, aka blocking at the router. Finally, if you allow connections from the outside world, disable passwords and depend on key authentication.

[ Reply to This | # ]
Disable ssh access for password-guessing bots
Authored by: corienti on Oct 10, '08 09:56:33AM

I agree with both of you - changing the port WILL stop the constant bot scans - they only check port 22.
However it won't stop a targeted attack.
I prefer to run SSH on a nonstandard port to stop the bot scans, AND disable password login to help defend against targeted attack.

I ALSO don't believe in scanning the logfile for failed logins; I simply have the firewall start dropping ALL packets from an IP that hits my SSH port more frequently than a certain rate, say 10 times in 8 seconds.

Nobody, including even me, has any business hitting my SSH port at a high rate. So if anyone does, simply drop all packets (not just SSH!) from them for the next hour or so. Or day, if you like.

I'm not sure how to do this with ipfw cos I don't use it, as all my Macs sit behind NATing firewall that I set up personally; but it's easy enough to do with iptables (Linux) or pf (OpenBSD) and I have iptables doing it at home and pf doing it at work. I'm sure it's easy enough to do with ipfw.

(actually, I tell a small lie; it's actually slightly tricky with pf - but still no major hassle)

[ Reply to This | # ]
Disable ssh access for password-guessing bots
Authored by: isancho on Oct 10, '08 10:11:24AM

I don't think that IPFW lets you overload tables dynamically like PF. I'm willing (and hoping) to be proven wrong on this, though.

[ Reply to This | # ]