From owner-freebsd-questions@FreeBSD.ORG  Fri Oct  8 02:46:24 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AE04E16A4CE
	for <freebsd-questions@freebsd.org>;
	Fri,  8 Oct 2004 02:46:24 +0000 (GMT)
Received: from web41410.mail.yahoo.com (web41410.mail.yahoo.com
	[66.218.93.76])	by mx1.FreeBSD.org (Postfix) with SMTP id 737C543D31
	for <freebsd-questions@freebsd.org>;
	Fri,  8 Oct 2004 02:46:22 +0000 (GMT)
	(envelope-from davemac11@yahoo.com)
Message-ID: <20041008024622.75972.qmail@web41410.mail.yahoo.com>
Received: from [4.14.230.236] by web41410.mail.yahoo.com via HTTP;
	Thu, 07 Oct 2004 19:46:22 PDT
Date: Thu, 7 Oct 2004 19:46:22 -0700 (PDT)
From: Dave McCammon <davemac11@yahoo.com>
To: LukeD@pobox.com
In-Reply-To: <20041007192349.36120317@vixen42.24-119-122-191.cpe.cableone.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: freebsd-questions@freebsd.org
Subject: Re: Protecting SSH from brute force attacks
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2004 02:46:24 -0000


--- Vulpes Velox <v.velox@vvelox.net> wrote:

> On Thu, 7 Oct 2004 15:15:25 -0700 (PDT)
> Luke <luked@pobox.com> wrote:
> 
> > There are several script kiddies out there hitting
> my SSH server
> > every day.  Sometimes they attempt to brute-force
> their way in
> > trying new logins every second or so for hours at
> a time.  Given
> > enough time, I fear they will eventually get in.
> > Is there anything I can do to hinder them?
> > 
> > I'd like to ban the IP after 50 failed attempts or
> something.  I'd
> > heard that each failed attempt from a source was
> supposed to make
> > the daemon respond slower each time, thus limiting
> the usefulness of
> > brute force attacks, but I'm not seeing that
> behavior.
> 
> I forget where in /etc it is, but look into setting
> up something that
> allows a certian number of failed logins before
> locking that IP/term
> out for a few minutes.... and if it is constantly
> from the same place
> look into calling their ISP or the like.
> 
> Or in a few cases, like I have done in a few cases,
> and a deny from
> any to any for that chunk of the net...
> 
> man login.conf for more info :)
> _______________________________________________

Following the advice from here:
http://isc.sans.org//diary.php?date=2004-09-11.

What I did was to only allow access to one machine
through my firewall for the ssh connections (ipfw
limit). 2 per source address.
And, for that one machine, I changed the sshd port to
a different number. 
I was getting the same brute force attacks but they
have dropped to nil since.




		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com