From owner-freebsd-questions@FreeBSD.ORG Wed Dec 1 15:47:01 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE78C16A4CE for ; Wed, 1 Dec 2004 15:47:01 +0000 (GMT) Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 39D0143D58 for ; Wed, 1 Dec 2004 15:47:01 +0000 (GMT) (envelope-from kdk@daleco.biz) Received: from [69.27.131.0] ([69.27.131.0]) by ns1.tiadon.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 1 Dec 2004 09:43:52 -0600 Message-ID: <41ADE781.70509@daleco.biz> Date: Wed, 01 Dec 2004 09:47:13 -0600 From: "Kevin D. Kinsey, DaleCo, S.P." User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041023 X-Accept-Language: en-us, en MIME-Version: 1.0 To: csnyder References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 Dec 2004 15:43:52.0746 (UTC) FILETIME=[8F1380A0:01C4D7BC] cc: freebsd-questions@freebsd.org Subject: Re: limiting ssh login attempts by ip X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 15:47:01 -0000 csnyder wrote: >I've noticed a marked increase in dictionary attacks against sshd >lately -- tens or even hundreds of connection attempts from the same >IP address within a short timespan. > >I wrote a script that creates firewall rules to drop packets from IPs >with more than n login failures over the last 10 minutes, but it's a >half-measure -- in the minute it takes for cron to get to it, an >attacking script can try a lot of different passwords, even with >MaxStartups set low. > >How do you protect your servers from this kind of attack? Especially >on where you can't enforce a strict password policy or make everyone >use keys? > I have mentioned before that I use tcpwrappers (somewhat against the comment in /etc/hosts.allow) to only allow sshd to accept connections from known IP addresses on all my servers save one. If for some reason I'm on a "foreign" network and need to get in, I have to go through the open box to get to the others. (I can see that this might not work so well if you have dozens of people who need sshd access....) But, like Lowell says, this doesn't seem to be the most effective attack, as it generally is trying a few combinations for "admin", a few for "root", etc., and then moving on ... I'm not sure how much effort you need to expend on it; although if you're running a lot of shell services to the outside, I can feel some of your pain.... HTH, Kevin Kinsey DaleCo, S.P.