Seconds are up to you i think you can have a solid sshd server just configuring it the right way
PermitRootLogin no
AllowUsers userA userB userC
Protocol 2
LoginGraceTime 20s
MaxStartups 5
Banner /etc/ssh/sshd_banner
Most brute forcers progs take 22 as default and only port so change also default port
The first thing I like to do , is to add MD5 support to PAM applications, since this helps protects against dictionary cracks.install the libpam-cracklib and cracklib2 and configure /etc/pam.d/login /etc/pam.d/ssh and add this to all other applications you want protect:
password required pam_cracklib.so retry=3 minlen=12 difok=3
password required pam_unix.so use_authtok nullok md5
The first line loads the cracklib PAM module, which provides password strength-checking, prompts for a new password with a minimum length of 12 characters, a difference of at least 3 characters from the old password, and allows 3 retries
To make sure that the user root can only log into the system from local terminals, the following line should be enabled in /etc/pam.d/login
auth requisite pam_securetty.so
This restricts the system resources that users are allowed. For example, you could restrict the number of concurrent logins users may have.
Now edit /etc/pam.d/passwd and change the first line. You should add the option "md5" to use MD5 passwords, change the minimum length of password from 4 to 6 (or more) and set a maximum length, if you desire. The resulting line will look something like:
password required pam_unix.so nullok obscure min=6 max=11 md5
Imagine you only want to allow user 'ref' to login via ssh. So you put him into /etc/sshusers-allowed and write the following into /etc/pam.d/ssh:
auth required pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail
Last, but not least, create /etc/pam.d/other and enter the following lines:
auth required pam_securetty.so
auth required pam_unix_auth.so
auth required pam_warn.so
auth required pam_deny.so
account required pam_unix_acct.so
account required pam_warn.so
account required pam_deny.so
password required pam_unix_passwd.so
password required pam_warn.so
password required pam_deny.so
session required pam_unix_session.so
session required pam_warn.so
session required pam_deny.so
These lines will provide a good default configuration for all applications that support PAM (access is denied per default)
Add this to login.defs:
FAIL_DELAY 10
If a wrong password is typed in, the possible attacker (or normal user!) has to wait for 10 seconds to get a new login prompt
If you enable this variable, failed logins will be logged. It is important to keep track of them to catch someone who tries a brute force attack.
LOG_UNKFAIL_ENAB yes
If you set the variable "FAILLOG_ENAB" to yes, then you should also set this variable to yes
SYSLOG_SU_ENAB yes
MD5_CRYPT_ENAB yes
As stated above, MD5 sum passwords greatly reduce the problem of dictionary attacks, since you can use longer passwords. Otherwise this is set in PAM.
PASS_MAX_LEN 50
If MD5 passwords are activated in your PAM configuration, then this variable should be set to the same value as used there.
look this links:
SSH Brute Force Attacks and Counter Measures
*
http://isc.sans.org/diary.php?date=2004-11-04
*
http://isc.sans.org/diary.php?date=2004-11-02
*
http://isc.sans.org/diary.php?date=2004-09-11
*
http://isc.sans.org/diary.php?date=2004-08-30
*
http://isc.sans.org/diary.php?date=2004-08-29
*
http://isc.sans.org/diary.php?date=2004-08-22
*
http://seclists.org/lists/firewall-w.../Jun/0154.html
*
http://www.counterpane.com/alert-cis20040910-1.html
*
http://searchsecurity.techtarget.com...094140,00.html
*
http://www.frsirt.com/exploits/08202004.brutessh2.c.php
Ok ?
Ciao !!!!!