Just in case you are interested in statistics, I have been running
Fail2Ban since May 2010 and since then I've had around 6.5k emails
informing me that an address has been blocked, or about 9 attempts per
*day*.
I think your customers would be a lot more likely to install Fail2Ban
if they knew just how common this sort of attack was.
James
On Thu, 10 May 2012 16:23:31 +0000
Andy Smith <andy@???> wrote:
> Hello,
>
> It's been a while since I last posted a reminder about protecting
> against SSH dictionary attacks.
>
> http://lists.bitfolk.com/lurker/message/20100314.085112.f5be7da9.en.html
>
> The problem of course has not gone away and since then there have
> been many more compromises that could have been easily avoided.
>
> So, please, if you are running sshd on port 22 and allowing password
> authentication, please consider taking some steps to protect
> yourself. It can very easily happen to you, and aside from the
> damage it can cause to other hosts on the Internet it risks
> significant downtime for your own services.
>
> I wrote up some more info from previous discussions:
>
> https://tools.bitfolk.com/wiki/Protecting_against_SSH_dictionary_attacks
>
> If you have further input please do feel free to add to the above
> wiki article.
>
> Cheers,
> Andy
>
From gerald.davies@??? Thu May 10 17:17:57 2012
Received: from mail-wi0-f180.google.com ([209.85.212.180])
by mail.bitfolk.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16)
(Exim 4.72) (envelope-from <gerald.davies@???>)
id 1SSX01-0001qn-HQ
for users@???; Thu, 10 May 2012 17:17:57 +0000
Received: by wibhn9 with SMTP id hn9so769215wib.3
for <users@???>; Thu, 10 May 2012 10:17:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:content-type; bh=OF4T2hI8Z4Kygwb1rswBWvZfNwLZ00OluygaqPhySIo=;
b=MByzfVSaUm2/bxBEcCP5MM6NU1agO5IpiCCXrupDD53rMF6ee5aihantOtow8N2EZi
ACA7UwCfSG/n+DNjLdFFC8pNOhBmRerA/3GW5VOzLZJjr46F1F5hT+nCz1t6ozn19QoC
zj7Z9MFhGvhC1X2M67knqnVOalNpouIDJ9i9akayC8oagX3iTxpax3tpm9X1KGvxQuoD
JhNazFJyepaHMqgjdZowiT3l4PQD6LAF+hxIERC47WJB1pPyWY4nyhpPpryUv4j34PuG
YzD/VhteuRK7DKBMIFAOyVhlpP6WKnpFlme+iJcDpxANKDPPsuGd4sBhHPVAJ94BOv/Z
ZEFA==
Received: by 10.180.80.104 with SMTP id q8mr10935298wix.14.1336670272034; Thu,
10 May 2012 10:17:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.129.80 with HTTP; Thu, 10 May 2012 10:17:31 -0700 (PDT)
In-Reply-To: <20120510162331.GG12360@???>
References: <20120510162331.GG12360@???>
From: Gerald Davies <gerald.davies@???>
Date: Thu, 10 May 2012 18:17:31 +0100
Message-ID: <CAEZ5awG8fG1vRx7dY-BWr3-x9qNnfRrzJ10sKR_tYE=Yc84-rA@???>
To: users@???
Content-Type: text/plain; charset=ISO-8859-1
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Thu,
10 May 2012 17:17:57 +0000
X-SA-Exim-Connect-IP: 209.85.212.180
X-SA-Exim-Mail-From: gerald.davies@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamd3.lon.bitfolk.com
X-Spam-Level:
X-Spam-ASN: AS15169 209.85.212.0/24
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU, RCVD_IN_DNSWL_LOW,
SPF_PASS shortcircuit=no autolearn=disabled version=3.3.1
X-Spam-Report: * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
http://www.dnswl.org/, low * trust
* [209.85.212.180 listed in list.dnswl.org]
* -0.0 SPF_PASS SPF: sender
