I don't know of any exit points for the SSH demon. What we use is an IPS module in our firewall. It detects the attack profiles and just starts dropping the packets at the edge of our network. Our internal systems never see the attacks.
But if you cannot change or upgrade your firewall to add that capacity, I would look for exit points for the SSH demon.
Chris Bipes
Director of Information Services
CrossCheck, Inc.
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Aaron Bartell
Sent: Thursday, February 11, 2016 7:29 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Block SSH brute force
I have a machine that consistently has high CPU for SSH jobs(n3) so I set
up logging(n1) to find the culprit. Turns out China is working overtime to
get into this machine. SSH is configured to require keys and disallow
passwords (and other sshd_config settings) so I am not too concerned about
a breach(n2), but the CPU consumption is annoying.
I have a vCloud network appliance sitting in front of the IBM i and
configured a DENY rule for the specific China IP address, but at the end of
the day I still need to allow SSH from a variety of IP addresses.
Are there ways, on IBM i, to automatically blacklist IP addresses that
attempt to log in with "root"?
What do others employ to stop this in a more automatic fashion?
n1 -
http://bit.ly/N1014301
n2 - with the exception of the most recent vulnerabilities
n3...
Work with Active Jobs
02/11/16
CPU %: 16.6 Elapsed time: 00:00:00 Active jobs: 205
Current
Opt Subsystem/Job User Type CPU % Function Status
QP0ZSPWP QSECOFR BCI 13.8 PGM-sshd RUN
Aaron Bartell
midrange.com
