Hi guys,

http://sourceforge.net/projects/sshguard/

Has anyone here had the opportunity to give sshguard a try? Sounds like a really good idea although its still only in beta. Essentially it offers protection against brute force dictionary attacks by dynamically adding iptable rules to block ips that have failed login x number of times and then unblocks them after x number of minutes.

I'd be interested in hearing anyone's feedback on this as dictionary attacks happens on ever server I look after (pretty much every day)

Thanks.

Why not just go to key based authentication with passwords?

Or (statically) firewall ssh down to the few IPs that it will be coming from? (Only if possible, of course.) There's not much point in letting the entire world connect to the service. ;)

Or better yet, firewall it down plus make it be public-key-only, no passwords (that's how both my ssh installations are set up), as ph34r said. The private keys for your public-key setup should be protected by passphrases, but with ssh-agent you can type in the passphrase once and keep it valid until you exit X. (Unless you don't trust whoever root is on your machine; then don't put the private key on that machine to begin with.)

You may get some temporary respite by moving ssh to a different port, too, but that's an ugly solution because (1) it depends on the current scanning only targeting port 22, which sounds like it may not be that big of a problem, but it's still an easy thing for the scanners to change, and (2) it makes it harder to legitimately connect from the outside (you have to remember the port number you moved it to).

Key-based authentication might be just the thing. I just recently started playing around with this with an OpenVPN server I set up.

Locking access down to a few ips wouldn't work for me though as I access these servers from all over. I'm a bit of a wireless hotspot person.

Key based auth is great. However it does nothing to actually stop the attempts, which in some cases can be very bandwidth intense. I have 5 or so servers all with SSH running and only allowing key based auth but when you get bots hitting each box all day long... it has hosed my router in the past.

I use "DenyHosts" which does the same thing as sshguard only it uses the hosts file instead of iptables.

It made all the difference. 3 failed attempts and the ip is blocked.

Syngin, On my server, I use key-based authentication with passwords, in addition to port knocking. In order to access my server from a new IP address, I first have to "knock" a series of ports, and then knockd will create a new firewall rule in IP tables to allow that IP address. All other IP's (except those I have knocked from) are blocked. I can later use another knock to remove that IP from iptables, thus blocking it again.

It's not the most full-proof solution (somebody could sniff packets for instance and get my knock string) but it absolutely eliminates dictionary attacks and other similar methods.

Google "knockd" if you are interested in this method.
Take it easy,
-- Devsforev

[...] which in some cases can be very bandwidth intense. [...] it has hosed my router in the past.

I use "DenyHosts" which does the same thing as sshguard only it uses the hosts file instead of iptables. Then the packets are still going through this router, and they'll still crash it if too many bots try to log in. Right? Or am I missing something obvious? ;)