Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder1.enfer-du-nord.net!feeder.news-service.com!border3.nntp.ams.giganews.com!Xl.tags.giganews.com!border1.nntp.ams.giganews.com!nntp.giganews.com!local2.nntp.ams.giganews.com!nntp.lyse.net!news.lyse.net.POSTED!not-for-mail NNTP-Posting-Date: Fri, 02 Sep 2011 09:21:37 -0500 Date: Fri, 02 Sep 2011 16:19:48 +0200 From: David Brown User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1 MIME-Version: 1.0 Newsgroups: comp.os.linux.development.apps Subject: Re: Security problem References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Message-ID: <5LadnfB9uvXse_3TnZ2dnUVZ7oGdnZ2d@lyse.net> Lines: 29 X-Usenet-Provider: http://www.giganews.com X-AuthenticatedUsername: NoAuthUser X-Trace: sv3-3a9z4xAI+UOwR9dUa60/P8oYLDE72Fqw9Z/TOYAONx2CG/39BQoyXB/iOrDnoiYjq1V1fGuecM4o/8T!nK4Pa6u964oFlUJkVXJy7w9DgzPxAG5cLbd8EqimE5ZNv04hrP4eIcYDC8NJhgCLCWEz1dtKAVaW!WrOq X-Complaints-To: abuse@altibox.no X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly X-Postfilter: 1.3.40 X-Original-Bytes: 2237 Xref: x330-a1.tempe.blueboxinc.net comp.os.linux.development.apps:261 On 31/08/2011 01:47, GangGreene wrote: > jacob navia wrote: > >> I have several computers that try to enter my machine via >> ssh. My log files are swamped by this people trying all >> possible user names several times a second. >> >> Is there a way to tell the ssh daemon to stop accepting more than 1 >> request each minute after it fails (say) 3 times? >> >> Something like the "login" behavior? >> >> Thanks in advance for any help > > > http://hostingfu.com/article/ssh-dictionary-attack-prevention-with-iptables > > http://www.digitalsanctuary.com/tech-blog/debian/using-iptables-to-prevent- > ssh-brute-force-attacks.html > > Am I right in thinking that the "recent" limiting applies limits to a particular source IP, while "-m limit" (which I have used often) applies the limit to all incoming traffic that hits the rule? The easiest and most effective step to limiting dictionary attacks is simply to use a non-standard port. Put your sshd on port 222 instead of 22, and no attacker will ever find it.