Re: ssh dictionary attacks

Sheldon T. Hall - DO NOT MAIL wrote:
On Tue, 15 Aug 2006 06:53:56 -0700, Captain Dondo
<yan@xxxxxxxxxxxxxxxx> wrote:

This is something that comes up once in a while... I've been subject to
them as well.

I've come across a couple of projects that build a 'tarpit' for attackers
- the first one is for SMTP and the second one is more generic.

I've often wondered if one couldn't use this to at least slow down a
dictionary attack on ssh. It wouldn't do much good for a distributed
attack, but it might for an attack comming from a few hosts.

Any thoughts? Comments? This is sort of a curiosity quesiton for me; I
don't know enough to really make a solid judgement if this would be useful.

The easiest way to secure your server's SSH port is to just firewall
it completely from the 'net, and have a portknocking arrangement that
selectively opens the SSH port to the IP address that correctly
knocked on the secret port.

Of course, you'd still want all the usual SSH security stuff, too:
restrict the access list to particular users, disallow direct root
logins, require keys, etc.


How do you get the ssh client to "knock first before entering"?