[lug] DOS ssh attacks

Alfred G. de Wijn dwijn at iluvatar.org
Sat Jan 10 09:47:14 MST 2009

On Jan 10, 2009, at 9:04 AM, Rob Nagler wrote:

> Another question is: any tricks we can use to slow down requests to
> ssh so we don't get locked out?

A long while ago, I got fed up with these attacks.  I found a program  
called "authfail", and adapted it to block them in my firewall.  It's  
old, but it works for me.  It listens on a log fifo, and updates the  
firewall if some conditions are met.  In my case, I block the IP if  
there are more than 4 login attempts spaced less than 900 seconds  
apart.  Some IPs are whitelisted.  Some users that should never log in  
over ssh (e.g., bin, bind, ftp, mail, sshd) result in an immediate  


Alfred G. de Wijn (dwijn at iluvatar.org)
web: http://www.iluvatar.org/~dwijn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2278 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20090110/6ad01f0a/attachment.bin>

More information about the LUG mailing list