X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
To: <cygwin AT cygwin DOT com>
References: <47b8d665 DOT 02fd220a DOT 6f30 DOT 11eb AT mx DOT google DOT com> <47B8DA84 DOT 4030206 AT highlandsun DOT com>
In-Reply-To: <47B8DA84.4030206@highlandsun.com>
Subject: RE: Stop Brute Force Attack on SSH
Date: Sun, 17 Feb 2008 19:41:46 -0600
MIME-Version: 1.0
Content-Type: text/plain; 	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Content-Language: en-us
From: "Kyle A. Dawson" <kyle DOT a DOT dawson AT gmail DOT com>
Message-ID: <47b8e25f.2cf0220a.4d59.2e70@mx.google.com>
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Yes, currently I disable root, disable password, (only allow keys).  The one
idea I had as a last resort was to change the port from 22.  Doing this
would require all users to update their client side.  I was hoping to make a
change on the server, some software that could help protect ssh.



-----Original Message-----
From: cygwin-owner AT cygwin DOT com [mailto:cygwin-owner AT cygwin DOT com] On Behalf Of
Howard Chu
Sent: Sunday, February 17, 2008 7:08 PM
To: cygwin AT cygwin DOT com
Subject: Re: Stop Brute Force Attack on SSH

Kyle Dawson wrote:
> How can I stop attacks on my ssh demon?   I see thousands of attempts
every
> day.  I have, I believe good password policy but since I have clients,
not
> 100% sure.  Is there some config that  I can set?  One ip address comes in
> and tries for a day or so.  Can it see that it is the same ip and just
> deny?  Any tools that can help?

I see the same thing once in a while. I've wanted an option for this as
well. 
Sometimes I black-hole the offending IP address so I don't have to see the 
failures in the log files any more.

In the meantime, I just disable password-based logins, and require everyone
to 
use a public key.

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/