From owner-freebsd-questions@freebsd.org Tue Aug 25 13:30:03 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1D90D99AFEF for ; Tue, 25 Aug 2015 13:30:03 +0000 (UTC) (envelope-from reko.turja@liukuma.net) Received: from cerebro.liukuma.net (cerebro.liukuma.net [IPv6:2a00:d1e0:1000:1b00::2]) by mx1.freebsd.org (Postfix) with ESMTP id CF59CE14 for ; Tue, 25 Aug 2015 13:30:02 +0000 (UTC) (envelope-from reko.turja@liukuma.net) Received: from cerebro.liukuma.net (localhost [127.0.0.1]) by cerebro.liukuma.net (Postfix) with ESMTP id 3A2548A0482; Tue, 25 Aug 2015 16:29:54 +0300 (EEST) DKIM-Filter: OpenDKIM Filter v2.8.3 cerebro.liukuma.net 3A2548A0482 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=liukuma.net; s=liukudkim; t=1440509394; bh=Q5lRThLRrRGTekI7qeaGyHzAr24vupOp1FjXyk6R6JQ=; h=From:To:References:In-Reply-To:Subject:Date; b=cOhgCIxIH5Z3OdRxXDOu7915FxYx1LwrDz2CtZMWrpI2zcYoZFC5zOIZj4KpfBVg7 DfUP9HgCCUvicKNfYGeWG9CcwgSopFLJdxLdvduZ85oT9uyBMTwcb24Rb8JJxWo76a UdGDugipL/oqkrcv74FJzKIEIH5Hst6gCDC0Kpbg= X-Virus-Scanned: amavisd-new at liukuma.net Received: from cerebro.liukuma.net ([127.0.0.1]) by cerebro.liukuma.net (cerebro.liukuma.net [127.0.0.1]) (amavisd-new, port 10027) with LMTP id Ghz552uZFYa5; Tue, 25 Aug 2015 16:29:53 +0300 (EEST) Received: from Rivendell (dsl-kmibrasgw1-50dfdd-193.dhcp.inet.fi [80.223.221.193]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: ignatz@cerebro.liukuma.net) by cerebro.liukuma.net (Postfix) with ESMTPSA id EB35F8A00C3; Tue, 25 Aug 2015 16:29:52 +0300 (EEST) DKIM-Filter: OpenDKIM Filter v2.8.3 cerebro.liukuma.net EB35F8A00C3 Message-ID: <22DC19936F1E477D981FCB31FD51375E@Rivendell> From: "Reko Turja" To: "Jaime Kikpole" , References: In-Reply-To: Subject: Re: Blocking SSH access based on bad logins? Date: Tue, 25 Aug 2015 16:29:51 +0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 15.4.3555.308 X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3555.308 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2015 13:30:03 -0000 -----Original Message----- From: Jaime Kikpole Sent: Tuesday, August 25, 2015 4:16 PM To: freebsd-questions@freebsd.org Subject: Blocking SSH access based on bad logins? > I've noticed a number of SSH login attempts for the username "admin" > on my FreeBSD systems. None of them have a username of "admin". So I > was wondering if there was a way (even via a port) to tell the system, > "If an IP tries to login as 'admin', block that IP." > I'm already using SSHGuard to block certain obvious attempts to break > in. I'm fine with altering its configs or adding/switching to a new > port. With pf as your firewall you could do something like this - first, define a table with: table persist { } then in filter rules: pass in on $ext_if proto tcp from any to ($ext_if) port $tcp_login flags S/SA keep state (max-src-conn-rate 3/30, overload flush global) where 3/30 means how many connections to port are allowed in set timeframe, for me its three in 30 seconds. If that amount is exceeded, then the ip is added to bad_hosts table. Of course, distributed attacks are rarely affected by this rule. IMO switching SSH port is security by obscurity, determined attacker will eventually find the altered port if so inclined. -Reko