Re: Remote Access to Staff Desktops

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Fri, 20 Feb 2009 08:29:22 EST, Dexter Caldwell said:
> I severely limit ssh access form off-campus, however, we have some legacy
> systems where access is historical or where we've granted it.  We
> constantly get ssh brute force attacks on these servers.  The best thing
> I've done to shut this down is use an ssh brute force signature on the ips
> to terminate these attemps.  It's been quite successful and users haven't
> noticed the change.

Something that *way* too few sites bother doing is restricting SSH access
up front, if possible.  We've have very good success on some of our systems
where only a few people needed ssh into the box, of restricting inbound with
iptables to only allow the 2 /16s of on-campus addresses, and then identify
the /16 each person was likely to land in from their at-home cablemodem or
DSL line.  No ssh brute forces to worry about, because the chances of the
brute-forcer being in the same /16 as our user are vanishingly small...

This has the *added* benefit of *also* blocking any non-brute-force ssh attacks,
like if somebody finds a 0day.  Suddenly, the attacker has to be in one of the
3 or 4 /16s that can get to the box, and attacking from Moldavia or someplace
no longer works...

Attachment: _bin
Description: