Date: Tue, 6 May 2008 15:21:55 -0700 From: Doug Hardie <bc979@lafn.org> To: Randy Ramsdell <rramsdell@livedatagroup.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: [SSHd] Increasing wait time? Message-ID: <B9055774-BFA9-475E-802D-6AC3A25371CD@lafn.org> In-Reply-To: <4820CC8F.7010507@livedatagroup.com> References: <q7412457qoumm8v8dbth10fug2ctbrlfp0@4ax.com> <200805060931.18936.beech@freebsd.org> <20080506173912.GB85015@Grumpy.DynDNS.org> <48209BFF.6090607@livedatagroup.com> <EA6F2FDA-706D-4A9F-A582-551642822693@lafn.org> <4820CC8F.7010507@livedatagroup.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 6, 2008, at 14:24, Randy Ramsdell wrote: > Doug Hardie wrote: >> >> On May 6, 2008, at 10:57, Randy Ramsdell wrote: >> >>> David Kelly wrote: >>>> On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote: >>>> >>>>>> Is there a way to configure SSHd, so that the wait time between >>>>>> login attempts increases after X failed tries? >>>>>> >>>>> Not that I know of. You should look into denyhosts (in the >>>>> ports) it >>>>> works well and even has a RBL feature to block some of these >>>>> script >>>>> kiddies proactively. Unfortunately, these attempts have become a >>>>> fact >>>>> of life. I probably get 20 - 30 attempts a day between my various >>>>> servers. >>>>> >>>> >>>> Depending on how you use ssh from external systems you could add >>>> firewall rules to disallow all but known sources. >>>> >>>> >>> I used portsentry several years ago which is a realtime portscan >>> blocker. It would trigger on this type of ssh portscan for sure. >>> One problem is that it blocks using firewall rules, hosts.deny >>> etc... and would have to be actively maintained. Meaning: I >>> cleaned these entries once a week. I am not sure it is ported to >>> BSD either. >> >> Another option is to change the port SSH uses to some very unusual >> port. I do this on all the systems I use and change the port >> settings in ssh.conf and sshd.conf. This approach works if you >> don't have lots of users using SSH as it does require some >> sophistication to work with it. Since I have only 3 people who can >> use SSH it works great for me. >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org >> " > Yeah this also works well. I just shy away from security through > obscurity. However, I also moved ssh to port 40001 or so and > monitored SYN packets. I never logged an attempt to log in accept > auth'd users. It was never port scanned for ssh specific either. Security by obscurity is not the goal here. If the sshd setup is not secure, it doesn't matter what port you use. Eventually someone will find it. What changing the port does is eliminate the logging of thousands of stupid attempts to break in. You can also raise the logging level in syslog to something above where those are logged but you might miss some important messages that way.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B9055774-BFA9-475E-802D-6AC3A25371CD>