From owner-freebsd-security@FreeBSD.ORG Sun Sep 26 00:52:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7506D16A4CF for ; Sun, 26 Sep 2004 00:52:07 +0000 (GMT) Received: from mail.bitfreak.org (mail.bitfreak.org [65.75.198.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C70A43D4C for ; Sun, 26 Sep 2004 00:52:07 +0000 (GMT) (envelope-from dmp@bitfreak.org) Received: from speck.loki.lan (c-24-21-241-225.client.comcast.net [24.21.241.225]) by mail.bitfreak.org (Postfix) with ESMTP id DE8C219F3C; Sat, 25 Sep 2004 17:53:07 -0700 (PDT) Received: from spud (d2.loki.lan [172.21.42.22]) by speck.loki.lan (Postfix) with ESMTP id 916F73250; Sat, 25 Sep 2004 17:52:03 -0700 (PDT) From: "Darren Pilgrim" To: "'Antony Mawer'" , "'Chris Ryan'" Date: Sat, 25 Sep 2004 17:51:55 -0700 Message-ID: <001001c4a363$07f6c880$162a15ac@spud> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 In-Reply-To: <414CE5E8.6000103@mawer.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Importance: Normal cc: 'Frankye - ML' cc: freebsd-security@freebsd.org Subject: RE: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Sep 2004 00:52:07 -0000 > -----Original Message----- > From: owner-freebsd-security@freebsd.org=20 > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Antony Mawer > Sent: Saturday, September 18, 2004 6:51 PM > To: Chris Ryan > Cc: Frankye - ML; freebsd-security@freebsd.org > Subject: Re: Attacks on ssh port >=20 >=20 > Chris Ryan wrote: > > protection - with the appropriate active firewall that > > blocks their IP address after x failed attempts > > permanently.... >=20 > Has anyone found any good scripts or utilities for automating=20 > this kind=20 > of thing? I too have been subject to these probings, and my initial=20 > thought was to firewall off any address after any number of incorrect=20 > attempts. >=20 > While I could write a script to parse the ipfilter logs, I didn't want = > to go re-inventing the wheel for something which I was sure someone=20 > would have already attempted. >=20 > Anyone have any suggestions? There's three factors: wasted bandwidth, a successful intrusion and log noise. Filtering mitigates bandwidth wastage. But unless you can place the = filter out at the point where the Big Fat Pipe feeds into your comparatively = small pipe (i.e., the ISP's router), it's pointless--the scans will still eat = your bandwidth. IP Filtering is at best a tertiary security measure. It = should not replace proper configuration and maintenance, which is what you're seeking to accomplish. Check out the DenyUsers sshd_config keyword. With it OpenSSH will block = any login attempt with an account listed by DenyUsers. DenyUsers-listed accounts produce logging sooner (upon receipt of the username, rather = than after four bad passwords) and have different log entries than normal password failures. Cutting down the log noise is then a simple matter = of adding a filter to 800.loginfail or whatever else you may be using to = read auth.log.