sshdfilter

[Michael A. Peters]

On Sun, 2005-10-02 at 21:00 -0700, Vladimir G. Ivanovic wrote:
> Has anyone ported sshdfilter to FC4? It seems like such a useful
> program now that I'm getting lots of ssh-based attacks.
> 
> http://www.csc.liv.ac.uk/~greg/sshdfilter/


>From that page"

>115 attempts becomes 1 attempt - first guess was for root and is
>allowed a default of 3 chances, the second guess was for a non-existant
>user and so was blocked anyway.


I hope that's configurable - ssh to root should never be allowed (I know
Fedora enabled by default, turn it off) - so 1 attempt should block :)

Also-

>107 attempts becomes 1 attempt - first guess was for a valid user
>(nobody), second guess was for a non-existant user so was blocked.

Any attempt to ssh in as a user with a UID below 100 should be blocked
immediately. I would personally recommend any UID below 500 be blocked
immediately.

-=-
Looks like a nifty package for those who have to have ssh exposed to the
outside world. I would recommend modifying it though to block anything
immediately trying to ssh in to a UID below 500, and be a little more
lax on non existing accounts - could be username was a typo from a
legitimate user.