On 10/19/07, <b class="gmail_sendername">Yan Seiner</b> <<a href="mailto:yan@seiner.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">yan@seiner.com</a>> wrote:<div><span class="gmail_quote">
</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Jay R. Ashworth wrote:<br>> If you've tunneled SSH traffic through to your Mythbox, you're likely<br>> the target of brute-force SSH attacks, some of which might well work.<br>><br>> The most elegant solution I've found so far is here:
<br>><br>> <a href="http://www.la-samhna.de/library/brutessh.html#5" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.la-samhna.de/library/brutessh.html#5</a><br>><br>> This won't block attacks that "know" about a specific bug in your sshd,
<br>> so you need to stay updated, but for the dictionary attacks it will<br>> work nicely, and it'll sure keep your logs from growing without<br>> bounds...<br><br>You can also do this with iptables. There is also a setting in sshd
<br>itself that allows only so many connections / unit time.<br><br>But none of this will help you if you are the subject of a concerted,<br>persistent, distributed attack - only picking a really good password,<br>not allowing root ssh access, and monitoring logs will keep you safe....
</blockquote><div><br>If you really want to prevent dictionary attacks you should disable password login altogether and only allow login using public key authentication and password protect your private keys.<br><br>This way someone needs to get a hold of your key and guess the password. And if you regularly change the keys then this is even more secure...
<br><br>An even more secure technique is to use port knocking (<a href="http://www.portknocking.org/">http://www.portknocking.org/</a>) combined with the above but I'm not that paranoid yet.<br><br>Deyan<br></div><br>
</div><br>