From owner-freebsd-questions@FreeBSD.ORG Tue Nov 14 20:52:52 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BB4816A4C9 for ; Tue, 14 Nov 2006 20:52:52 +0000 (UTC) (envelope-from heli@mikestammer.com) Received: from smtp113.sbc.mail.mud.yahoo.com (smtp113.sbc.mail.mud.yahoo.com [68.142.198.212]) by mx1.FreeBSD.org (Postfix) with SMTP id 7558E4408E for ; Tue, 14 Nov 2006 20:48:23 +0000 (GMT) (envelope-from heli@mikestammer.com) Received: (qmail 16393 invoked from network); 14 Nov 2006 20:07:37 -0000 Received: from unknown (HELO mail.mikestammer.com) (mikestammer@sbcglobal.net@70.131.98.204 with login) by smtp113.sbc.mail.mud.yahoo.com with SMTP; 14 Nov 2006 20:07:37 -0000 X-YMail-OSG: dRIpTkQVM1lC9djFrli5GRm6H8JR_ZPhUOJhsCymbPqZJypK23ShxhsFqM0Ni35GEEt2vgpSMA24iSdf1c0AGDVxOUQWSlCV1H8tlLqdRjyPb9MMuUYpfeKshpT7JgQVcl5lz9NQqbG0YKDBn1wj6TYsDmO4p4J1LWw- Received: from localhost (localhost [127.0.0.1]) by mail.mikestammer.com (Postfix) with ESMTP id 52EC61146A for ; Tue, 14 Nov 2006 14:07:36 -0600 (CST) X-Virus-Scanned: amavisd-new at mikestammer.com Received: from mail.mikestammer.com ([127.0.0.1]) by localhost (gondolin.middleearth.mikestammer.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V11MUHsYyjpl for ; Tue, 14 Nov 2006 14:07:30 -0600 (CST) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: eric) by mail.mikestammer.com (Postfix) with ESMTP id A5EAF1147E for ; Tue, 14 Nov 2006 14:07:30 -0600 (CST) Message-ID: <455A2202.7060903@mikestammer.com> Date: Tue, 14 Nov 2006 14:07:30 -0600 From: Eric User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20061113060528.GA7646@best.com> <4558D2A3.50904@locolomo.org> <20061114092045.GB3207@best.com> <455A1EE6.3020504@locolomo.org> In-Reply-To: <455A1EE6.3020504@locolomo.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Nov 2006 20:52:52 -0000 Erik Norgaard wrote: > Leo L. Schwab wrote: >> On Mon, Nov 13, 2006 at 09:16:35PM +0100, Erik Norgaard wrote: >>> Honestly, I wouldn't worry about it: review your config and make some >>> simple choices to reduce the noise, see this article: >>> >>> http://www.securityfocus.com/infocus/1876 >>> >> But I rather thought that was the point of 'bruteblock' -- it >> reduces the noise by blackholing the offending IPs for an hour or so. >> This >> blackholing doesn't appear to be happening, and I don't understand why. >> >> Could it be a permission problem -- syslog doesn't have permission >> to change the firewall rules? > > I wouldn't worry about "bruteblock" - try create a perl script and see > if you can see a system in the attacks: Do the same host come back? If > so does it continue from where it left? > > The annoyance of these brute force attacks is that your log is larger > that it would be without them. > > That is unless ofcourse you have made yourself vulnerable! > > - do you use bad passwords? > - do you allow root login? > - have you disabled system accounts? > > If the answers are no, no and yes, then you can largely ignore. For more > on this - read the linked article, read the old thread. > > Cheers, Erik > jumping into this thread late, but denyhosts works great and also does a distributed thing where, if you opt in, you can get updates from other people who run denyhosts. These are then added to your deny list and if your box is scanned the attempts will be blocked. think if it like a spamhaus list for SSH brute force attacks. it works well. in short: 1. use denyhosts 2. do not use password based authentication for ssh. rather, use keys that are password protected 3. never allow root ssh logins and everything should be swell Eric