From owner-freebsd-questions@FreeBSD.ORG  Fri Oct  9 21:56:25 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 50C7A106568D
	for <freebsd-questions@freebsd.org>;
	Fri,  9 Oct 2009 21:56:25 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id DD3C18FC23
	for <freebsd-questions@freebsd.org>;
	Fri,  9 Oct 2009 21:56:24 +0000 (UTC)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id
	n99LuI38010904; Fri, 9 Oct 2009 22:56:19 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk n99LuI38010904
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1255125380;
	bh=XHjnjviQVwEzCORc539V/erHCjskZ1NipuoyrdXyWaE=;
	h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References:
	In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To:
	Message-ID:Mime-Version:References:To;
	z=Message-ID:=20<4ACFB17A.1080400@infracaninophile.co.uk>|Date:=20F
	ri,=2009=20Oct=202009=2022:56:10=20+0100|From:=20Matthew=20Seaman=
	20<m.seaman@infracaninophile.co.uk>|Organization:=20Infracaninophi
	le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20090823)|MIME-Vers
	ion:=201.0|To:=20Aflatoon=20Aflatooni=20<aaflatooni@yahoo.com>|CC:
	=20freebsd-questions@freebsd.org|Subject:=20Re:=20Security=20block
	ing=20question|References:=20<526808.11391.qm@web56207.mail.re3.ya
	hoo.com>|In-Reply-To:=20<526808.11391.qm@web56207.mail.re3.yahoo.c
	om>|X-Enigmail-Version:=200.95.6|Content-Type:=20multipart/signed=
	3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-si
	gnature"=3B=0D=0A=20boundary=3D"------------enig9C0AEC100DF7D6E170
	A59B84";
	b=f1tUHsYwxWCdYiSctpCZLQ+lgPSo+LQGCWb/4qdv7G/8DS4Q2zpCD15wjszedYakT
	HGitRThw87tLBFZrEaY8uPZK2U9gJdrVHZeNPxC2VmarHKFDOMiOGgdtgNzxDkXAgQ
	tYFQFUym/vMAROeC0psEt39d75i70+Ma/eB5QqIM=
X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host
	localhost [IPv6:::1] claimed to be
	happy-idiot-talk.infracaninophile.co.uk
Message-ID: <4ACFB17A.1080400@infracaninophile.co.uk>
Date: Fri, 09 Oct 2009 22:56:10 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.23 (X11/20090823)
MIME-Version: 1.0
To: Aflatoon Aflatooni <aaflatooni@yahoo.com>
References: <526808.11391.qm@web56207.mail.re3.yahoo.com>
In-Reply-To: <526808.11391.qm@web56207.mail.re3.yahoo.com>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig9C0AEC100DF7D6E170A59B84"
X-Virus-Scanned: clamav-milter 0.95.2 at
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: Security blocking question
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2009 21:56:25 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig9C0AEC100DF7D6E170A59B84
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Aflatoon Aflatooni wrote:
> Hi,
> The production server that has a public IP address has SSH enabled. Thi=
s server is continuously under dictionary attack:
> Oct  8 12:58:40 seven sshd[32248]: Invalid user europa from 83.65.199.9=
1
> Oct  8 12:58:40 seven sshd[32250]: Invalid user hacked from 83.65.199.9=
1
> Oct  8 12:58:40 seven sshd[32251]: Invalid user cop\r from 83.65.199.91=

> Oct  8 12:58:41 seven sshd[32254]: Invalid user gel from 83.65.199.91
> Oct  8 12:58:41 seven sshd[32255]: Invalid user dork from 83.65.199.91
> Oct  8 12:58:41 seven sshd[32258]: Invalid user eva from 83.65.199.91
> Oct  8 12:58:41 seven sshd[32260]: Invalid user hacker from 83.65.199.9=
1
> Oct  8 12:58:41 seven sshd[32261]: Invalid user copila\r from 83.65.199=
=2E91
> Oct  8 12:58:42 seven sshd[32265]: Invalid user dorna from 83.65.199.91=

> Oct  8 12:58:42 seven sshd[32264]: Invalid user gelo from 83.65.199.91
> Oct  8 12:58:42 seven sshd[32268]: Invalid user evara from 83.65.199.91=

> Oct  8 12:58:43 seven sshd[32270]: Invalid user hack from 83.65.199.91
> Oct  8 12:58:43 seven sshd[32271]: Invalid user copil\r from 83.65.199.=
91
> Oct  8 12:58:43 seven sshd[32274]: Invalid user Doubled from 83.65.199.=
91
> Oct  8 12:58:43 seven sshd[32275]: Invalid user gelos from 83.65.199.91=

> Oct  8 12:58:44 seven sshd[32278]: Invalid user eve from 83.65.199.91
>=20
> Is there a way that I could configure the server so that if there are f=
or example X attempts from an IP address then for the next Y hours all th=
e SSH requests would be ignored from that IP address?=20
> There are only a handful of people who have access to that server.

Yes.

In pf.conf:

table <ssh-bruteforce> persist

[...]

block drop in log quick on $ext_if from <ssh-bruteforce>

[...]

pass in on $ext_if proto tcp      \
     from any to $ext_if port ssh \
     flags S/SA keep state        \
     (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)

plus you'll need to add a cron job to clear old entries out of the ssh-br=
uteforce
table after a suitable amount of time has passed.  Use expiretable to do
that.  Note: in practice I've found that it's a *really good idea* to imp=
lement a=20
SSH whitelist of addresses that will never be bruteforce blocked like thi=
s -- it's=20
very easy to lock yourself out even if everything you're doing is entirel=
y=20
legitimate.  Coding that is left as an exercise for the reader.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig9C0AEC100DF7D6E170A59B84
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkrPsYIACgkQ8Mjk52CukIwajwCfZZhDelEGssBatthjiqRP0RkU
h4EAn1FTIKItJr+8oQn9YPzsBdI27hjP
=tsUf
-----END PGP SIGNATURE-----

--------------enig9C0AEC100DF7D6E170A59B84--