Date: Fri, 8 Oct 2004 08:40:30 +0300 From: JohnsoBS@vicksburg.navy.mil To: davemac11@yahoo.com, LukeD@pobox.com Cc: freebsd-questions@freebsd.org Subject: RE: Protecting SSH from brute force attacks Message-ID: <CE2BFBAA80DD874BB737A4E2C53AA44903B0186B@CG69UBD01>
next in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Dave McCammon [mailto:davemac11@yahoo.com] > Sent: Friday, October 08, 2004 4:46 AM > To: LukeD@pobox.com > Cc: freebsd-questions@freebsd.org > Subject: Re: Protecting SSH from brute force attacks > > > > --- Vulpes Velox <v.velox@vvelox.net> wrote: > > > On Thu, 7 Oct 2004 15:15:25 -0700 (PDT) > > Luke <luked@pobox.com> wrote: > > > > > There are several script kiddies out there hitting > > my SSH server > > > every day. Sometimes they attempt to brute-force > > their way in > > > trying new logins every second or so for hours at > > a time. Given > > > enough time, I fear they will eventually get in. > > > Is there anything I can do to hinder them? > > > > > > I'd like to ban the IP after 50 failed attempts or > > something. I'd > > > heard that each failed attempt from a source was > > supposed to make > > > the daemon respond slower each time, thus limiting > > the usefulness of > > > brute force attacks, but I'm not seeing that > > behavior. > > > > I forget where in /etc it is, but look into setting > > up something that > > allows a certian number of failed logins before > > locking that IP/term > > out for a few minutes.... and if it is constantly > > from the same place > > look into calling their ISP or the like. > > > > Or in a few cases, like I have done in a few cases, > > and a deny from > > any to any for that chunk of the net... > > > > man login.conf for more info :) > > _______________________________________________ > > Following the advice from here: > http://isc.sans.org//diary.php?date=2004-09-11. > > What I did was to only allow access to one machine > through my firewall for the ssh connections (ipfw > limit). 2 per source address. > And, for that one machine, I changed the sshd port to > a different number. > I was getting the same brute force attacks but they > have dropped to nil since. > > I run my public sshd in a jail and close all other ports. I also delete every binary minus the tools needed to ssh into the host and other jails I have setup. I ssh to my jail ip's internally and nat ports as needed from the external. I am pretty secure even if they do gain access to the public sshd, and I think once they do if ever break into that, the box is fairly well still secure. > > > > _______________________________ > Do you Yahoo!? > Declare Yourself - Register online to vote today! > http://vote.yahoo.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CE2BFBAA80DD874BB737A4E2C53AA44903B0186B>