On Mon, Jul 16, 2012 at 01:51:39PM +1000, Chris Samuel wrote:
We have quite a few here at work (comes with the territory) and we have gone to rate limiting incoming SSH connections with iptables because of the brute forcers connecting so much.
yep, me too. i whitelist known good addresses (incl. our own :-) and everything else is subject to iptables recent-match rules. i also use /etc/security/access.conf via the pam_access module to limit who is allowed to login (and from where), and only allow password auth from whitelisted hosts - other access to ssh is either blocked or key-based auth only, e.g.: PubkeyAuthentication yes PasswordAuthentication no Match Address IP.IP.IP.IP/MASK,127.0.0.0/8 PasswordAuthentication yes NOTE: the Match Address feature of sshd_config is fairly recent, only a year or two old IIRC so it won't work if you are running an ancient or crap distro.
I was just wondering if that meant we were more of an attraction than other sites.
probably not. if you put a machine on the net then it's going to get probed for all sorts of potential exploits, real or imaginary or obsolete or just hopeful - including ssh and mysql and ms sql and smb and telnet and rpc and hundreds/thousands of other ports, many of which haven't even had an exploitable version for over a decade. since it's all done by bots, one IP address is as "attractive" as any other. of course, if you've got some highly desirable or valuable data then your known IP address ranges may be specifically targeted, but mere presence or number of accessible machines doesn't make your site a more attractive target. craig -- craig sanders <cas@taz.net.au>