Re: using PubkeyAuthentication, still getting dictionary attacks!



Nomen Nescio <nobody@xxxxxxxxx> writes:

I used to run my ssh server on a high port no. to avoid the dictionary
attacks. It worked quite well but I've had to go back to good ol' port
22 because I've been plugging laptop into networks with *crazy*
restrictions like blocking huge ranges of client ports except for
specific services.

So I've changed the server config to allow PubkeyAuthentication only,
and that's working fine, BUT the dictionary attacks are still
coming. (See below for the sort of stuff I mean, in syslog.)

AIUI, dictionary attacks on PubkeyAuthentication are hopeless, and I'm
surprised the attacking "clients" try it. Am I right? Why do they keep
trying? Anything else I can/should do?

Do you thinkthat there is a human being behind those attacks, trying all
the passwords? It is a program. which is launched from someone else's
computer.

You could just put that IP address into /etc/hosts.allow with a deny tag
for ssh.
sshd: 24.148.29.250:deny


Thanks!



Invalid user webmaster from 24.148.29.250
Invalid user ftp from 24.148.29.250
Invalid user sales from 24.148.29.250
Invalid user admin from 24.148.29.250
Invalid user andrea from 24.148.29.250
Invalid user guest from 24.148.29.250
Invalid user guest1 from 24.148.29.250
Invalid user guest2 from 24.148.29.250
Invalid user guest3 from 24.148.29.250
Invalid user guest4 from 24.148.29.250
Invalid user guest5 from 24.148.29.250
Invalid user guest6 from 24.148.29.250
Invalid user guest7 from 24.148.29.250
Invalid user guest8 from 24.148.29.250
Invalid user guest9 from 24.148.29.250

.