[BlueOnyx:23883] Re: 5209r question about dictionary attacks

[Michael Stauber]

Hi Barry,

> I have a question regarding dictionary attacks to the sshd on my 5209r system.
> In recent month, the former 25 kB daily "logwatch" started to grow to somewhere
> between 300 and 600 kB.  Now, in recent weeks, it has gotten as high as 2700 kB.
> 
> We have set the ftp setting that only allows access from the US, but that seems
> to have just increased the attacks in recent weeks.
> 
> While I should be pleased the BlueOnyx system appears to be holding secure, 
> is there possibly a setting I"ve missed that would deal with multiple efforts to log in 
> from the same IP block with different names and either time limit or block the IP block?

Yes, there are means available that detect and block such attempts.
These aren't perfect, but sure can help a lot.

I recommend Fail2ban and APF from the BlueOnyx shop. They're available
for 5209R and 5210R.

Fail2ban detects these attacks and then uses APF (or on 5210R optionally
Firewalld) to block the offending IPs temporarily.

Please note: When you buy APF in the shop and link it to a 5210R, then
it gives you two options for the install: APF and Firewalld. In that
case I recommend to use Firewalld, which has slightly fewer features
than APF, but a better performance.

-- 
With best regards

Michael Stauber