Suggestions for dealing with ssh spammers?

  • Running 1.2.3 release

    I usually need to ssh into my box at least once a day for a while.  I've noticed in my logs that on days that I do, after I have successfully logged in it'll start detecting multiple ssh attempts into the box from different addresses.

    In my existing ssh rule, I do not use the default port and have a schedule applied to it so I can only login at certain times…though that schedule is several hours.  I have the rule set to allow only 2 simultaneous connections and only 1 new connection per minute.  I guess what I'm looking for is something to block these ssh spammers if they continue to persist trying to login.  I do have the snort package installed but admittedly I'm not that great at configuring it.

  • DenyHosts. There is a package that installs denyhosts and stops attempts.

    You can set it to permantly block IPs who try to brute force their way. You can also set it to block IPs that have tried to brute force into other networks that run DenyHosts.

    On top of that I would also change your SSH port to something other than 22 and enforce certificate authentication while disabling password authentication.

  • Oh crap, I forgot to mention that I did try the DenyHosts package however it never seemed to work on my setup.  There were several instances of ssh login attempts while the package was running and it never did anything.

    But your suggestion of using a certificate is a good one.  I've thought about giving it a try, maybe I just need to take the plunge and do it.

Log in to reply