[svlug] What to do about ssh hack attempts?
rick at linuxmafia.com
Wed Feb 1 10:11:08 PST 2006
Quoting Mark (msalists at gmx.net):
> Moving the port is really a great solution - considering the time it
> takes. One minute to do the change and I have never gotten one single
> log entry since. I used to have log entries every day, sometimes up
> to 50,000 attempts from 1 single IP.
Wouldn't it be more useful to concentrate on the threat and the
exposure, rather than logwatch log entries? If the root problem is
exposure of guessable ssh login/password pairs to remote attackers, then
your candidate solution should aim to fix that exposure. Moving the
daemon to an unusual port simply doesn't do much.
(Me, I just disable password auth. Other effective approaches are
More information about the svlug