<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body>sshguard is really good since it'll drop in a iptables rule to block an IP address after a number of attemps (and prevent knocking on other ports too).<div><br></div><div>Yubikey as 2FA is pretty nice too.</div><div><br></div><div style="font-size:100%;color:#000000"><!-- originalMessage --><div>-------- Original message --------</div><div>From: Bruce Dawson <jbd@codemeta.com> </div><div>Date: 6/11/17 10:58 AM (GMT-05:00) </div><div>To: gnhlug-discuss@mail.gnhlug.org </div><div>Subject: Re: What's the strategy for bad guys guessing a few ssh passwords? </div><div><br></div></div>sshguard takes care of most of them (especially the high bandwidth ones).<br><br>The black hats don't care - they're looking for vulnerable systems. If <br>they find one, they'll exploit it (or not).<br><br>Note that a while ago (more than a few years), comcast used to probe <br>systems to see if they're vulnerable. Either they don't do that any <br>more, or contract it out because I haven't see probes from any of their <br>systems in years. This probably holds true for other ISPs, and various <br>intelligence agencies in the world - both private and public, not to <br>mention various disreputable enterprises.<br><br>--Bruce<br><br><br>On 06/11/2017 10:17 AM, Ted Roche wrote:<br>> For 36 hours now, one of my clients' servers has been logging ssh<br>> login attempts from around the world, low volume, persistent, but more<br>> frequent than usual. sshd is listening on a non-standard port, just to<br>> minimize the garbage in the logs.<br>><br>> A couple of attempts is normal; we've seen that for years. But this is<br>> several each hour, and each hour an IP from a different country:<br>> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,<br>> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.<br>><br>> There's several levels of defense in use: firewalls, intrusion<br>> detection, log monitoring, etc, so each script gets a few guesses and<br>> the IP is then rejected.<br>><br>> In theory, the defenses should be sufficient, but I have a concern<br>> that I'm missing their strategy here. It's not a DDOS, they are very<br>> low volume. It will take them several millennia to guess enough<br>> dictionary attack guesses to get through, so what's the point?<br>><br><br>_______________________________________________<br>gnhlug-discuss mailing list<br>gnhlug-discuss@mail.gnhlug.org<br>http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/<br></body></html>