Date: Sat, 25 Sep 2004 17:51:55 -0700 From: "Darren Pilgrim" <dmp@bitfreak.org> To: "'Antony Mawer'" <fbsd-security@mawer.org>, "'Chris Ryan'" <chrisryanemail@yahoo.com.au> Cc: freebsd-security@freebsd.org Subject: RE: Attacks on ssh port Message-ID: <001001c4a363$07f6c880$162a15ac@spud> In-Reply-To: <414CE5E8.6000103@mawer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Antony Mawer > Sent: Saturday, September 18, 2004 6:51 PM > To: Chris Ryan > Cc: Frankye - ML; freebsd-security@freebsd.org > Subject: Re: Attacks on ssh port > > > Chris Ryan wrote: > > protection - with the appropriate active firewall that > > blocks their IP address after x failed attempts > > permanently.... > > Has anyone found any good scripts or utilities for automating > this kind > of thing? I too have been subject to these probings, and my initial > thought was to firewall off any address after any number of incorrect > attempts. > > While I could write a script to parse the ipfilter logs, I didn't want > to go re-inventing the wheel for something which I was sure someone > would have already attempted. > > Anyone have any suggestions? There's three factors: wasted bandwidth, a successful intrusion and log noise. Filtering mitigates bandwidth wastage. But unless you can place the filter out at the point where the Big Fat Pipe feeds into your comparatively small pipe (i.e., the ISP's router), it's pointless--the scans will still eat your bandwidth. IP Filtering is at best a tertiary security measure. It should not replace proper configuration and maintenance, which is what you're seeking to accomplish. Check out the DenyUsers sshd_config keyword. With it OpenSSH will block any login attempt with an account listed by DenyUsers. DenyUsers-listed accounts produce logging sooner (upon receipt of the username, rather than after four bad passwords) and have different log entries than normal password failures. Cutting down the log noise is then a simple matter of adding a filter to 800.loginfail or whatever else you may be using to read auth.log.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001001c4a363$07f6c880$162a15ac>