From owner-freebsd-questions@FreeBSD.ORG Fri Oct 9 21:56:25 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50C7A106568D for ; Fri, 9 Oct 2009 21:56:25 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id DD3C18FC23 for ; Fri, 9 Oct 2009 21:56:24 +0000 (UTC) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id n99LuI38010904; Fri, 9 Oct 2009 22:56:19 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk n99LuI38010904 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1255125380; bh=XHjnjviQVwEzCORc539V/erHCjskZ1NipuoyrdXyWaE=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4ACFB17A.1080400@infracaninophile.co.uk>|Date:=20F ri,=2009=20Oct=202009=2022:56:10=20+0100|From:=20Matthew=20Seaman= 20|Organization:=20Infracaninophi le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20090823)|MIME-Vers ion:=201.0|To:=20Aflatoon=20Aflatooni=20|CC: =20freebsd-questions@freebsd.org|Subject:=20Re:=20Security=20block ing=20question|References:=20<526808.11391.qm@web56207.mail.re3.ya hoo.com>|In-Reply-To:=20<526808.11391.qm@web56207.mail.re3.yahoo.c om>|X-Enigmail-Version:=200.95.6|Content-Type:=20multipart/signed= 3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-si gnature"=3B=0D=0A=20boundary=3D"------------enig9C0AEC100DF7D6E170 A59B84"; b=f1tUHsYwxWCdYiSctpCZLQ+lgPSo+LQGCWb/4qdv7G/8DS4Q2zpCD15wjszedYakT HGitRThw87tLBFZrEaY8uPZK2U9gJdrVHZeNPxC2VmarHKFDOMiOGgdtgNzxDkXAgQ tYFQFUym/vMAROeC0psEt39d75i70+Ma/eB5QqIM= X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host localhost [IPv6:::1] claimed to be happy-idiot-talk.infracaninophile.co.uk Message-ID: <4ACFB17A.1080400@infracaninophile.co.uk> Date: Fri, 09 Oct 2009 22:56:10 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.23 (X11/20090823) MIME-Version: 1.0 To: Aflatoon Aflatooni References: <526808.11391.qm@web56207.mail.re3.yahoo.com> In-Reply-To: <526808.11391.qm@web56207.mail.re3.yahoo.com> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig9C0AEC100DF7D6E170A59B84" X-Virus-Scanned: clamav-milter 0.95.2 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: Security blocking question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Oct 2009 21:56:25 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig9C0AEC100DF7D6E170A59B84 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Aflatoon Aflatooni wrote: > Hi, > The production server that has a public IP address has SSH enabled. Thi= s server is continuously under dictionary attack: > Oct 8 12:58:40 seven sshd[32248]: Invalid user europa from 83.65.199.9= 1 > Oct 8 12:58:40 seven sshd[32250]: Invalid user hacked from 83.65.199.9= 1 > Oct 8 12:58:40 seven sshd[32251]: Invalid user cop\r from 83.65.199.91= > Oct 8 12:58:41 seven sshd[32254]: Invalid user gel from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32255]: Invalid user dork from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32258]: Invalid user eva from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32260]: Invalid user hacker from 83.65.199.9= 1 > Oct 8 12:58:41 seven sshd[32261]: Invalid user copila\r from 83.65.199= =2E91 > Oct 8 12:58:42 seven sshd[32265]: Invalid user dorna from 83.65.199.91= > Oct 8 12:58:42 seven sshd[32264]: Invalid user gelo from 83.65.199.91 > Oct 8 12:58:42 seven sshd[32268]: Invalid user evara from 83.65.199.91= > Oct 8 12:58:43 seven sshd[32270]: Invalid user hack from 83.65.199.91 > Oct 8 12:58:43 seven sshd[32271]: Invalid user copil\r from 83.65.199.= 91 > Oct 8 12:58:43 seven sshd[32274]: Invalid user Doubled from 83.65.199.= 91 > Oct 8 12:58:43 seven sshd[32275]: Invalid user gelos from 83.65.199.91= > Oct 8 12:58:44 seven sshd[32278]: Invalid user eve from 83.65.199.91 >=20 > Is there a way that I could configure the server so that if there are f= or example X attempts from an IP address then for the next Y hours all th= e SSH requests would be ignored from that IP address?=20 > There are only a handful of people who have access to that server. Yes. In pf.conf: table persist [...] block drop in log quick on $ext_if from [...] pass in on $ext_if proto tcp \ from any to $ext_if port ssh \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload flush global) plus you'll need to add a cron job to clear old entries out of the ssh-br= uteforce table after a suitable amount of time has passed. Use expiretable to do that. Note: in practice I've found that it's a *really good idea* to imp= lement a=20 SSH whitelist of addresses that will never be bruteforce blocked like thi= s -- it's=20 very easy to lock yourself out even if everything you're doing is entirel= y=20 legitimate. Coding that is left as an exercise for the reader. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig9C0AEC100DF7D6E170A59B84 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkrPsYIACgkQ8Mjk52CukIwajwCfZZhDelEGssBatthjiqRP0RkU h4EAn1FTIKItJr+8oQn9YPzsBdI27hjP =tsUf -----END PGP SIGNATURE----- --------------enig9C0AEC100DF7D6E170A59B84--