Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 20 Sep 2006 16:15:20 -0400
From:      Adam Martin <adamartin@FreeBSD.org>
To:        Nicolas Blais <nb_root@videotron.ca>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: sshd brute force attempts?
Message-ID:  <443e3284d31c7c017677e4e8f7e0ba89@FreeBSD.org>
In-Reply-To: <200609191725.43937.nb_root@videotron.ca>
References:  <20060919165400.A4380@prime.gushi.org> <70e8236f0609191412p5779d94cqa16df5631f4de916@mail.gmail.com> <200609191725.43937.nb_root@videotron.ca>

next in thread | previous in thread | raw e-mail | index | archive | help

On 2006 Sep 19 , at 17:25, Nicolas Blais wrote:

> On Tuesday 19 September 2006 17:12, Joao Barros wrote:
>> On 9/19/06, Dan Mahoney, System Admin <danm@prime.gushi.org> wrote:
>>> Hey all,
>>>
>>> I've looked around and found several linux-centric things designed to
>>> block brute-force SSH attempts.  Anyone out there know of something 
>>> a bit
>>> more BSD savvy?
>>>
>>> My best attempt will be to get this:
>>>
>>> http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html
>>>
>>> running and adapt it.
>>>
>>> I've found a few things based on openBSD's pf, but that doesn't seem 
>>> to
>>> be the default in BSD either.
>>>
>>> Any response appreciated.
>>
>> I'm using BruteForceBlocker quite successfully.
>> I take the opportunity to thank danger for it :-)
>>
>> http://www.freshports.org/security/bruteforceblocker/


	This has been a recent annoyance for me too, so I did a bit of 
research.  At my site I run a number of Solaris, FreeBSD, NetBSD, and 
OpenBSD based machines (very few Linux machines.)  So I googled for a 
very BSD specific solution to the problem.  The issue of actual 
cracking doesn't concern me.  (All user passwords are strong, and users 
have strong limitations.)  What bothers me is that there's several 
hundred kilobytes worth of "invalid user" entries in my 
/var/log/auth.log.  It's been rotated about 30 times these past 2 
weeks.  I preserve ALL logs (/etc/newsyslog.conf has 500 count for each 
log.)  There is also the DoS potential that worries me.

	The solutions I read were for OpenBSD pf (which is my router) but 
could be used on FreeBSD pf, too.  It seems that most of these 
bruteforce ssh attempts come from compromised Linux boxes.  As a simple 
solution, one could add a pf rule which just drops linux hosts on port 
22.  As a stopgap measure for valid users, who login from linux boxes, 
I leave open port 2222, and inform these users to use that port.

	In addition to all of this, I also run bruteforceblocker, and maintain 
my own list of denied hosts.  (Any host with more than 5 entries for 
all different invalid users is permanently banned.)

> I like to protect myself by hiding what I have, which will reduce the 
> amount
> of direct or random attacks by a lot, then deal with attacks using 
> tools
> (like bruteforceblocker).

	Hiding your services is always a good idea.  But it also potentially 
invites portscans, or other evils.

> This is especially useful when attackers are using ip-range tools to 
> scan
> common ports for their associated service.

	Eventually when we all do that, the attackers will just develop (or in 
most cases, one will, and the others will "borrow") new tools to harass 
us more.

> Why keep sshd on port 22?

	Why not keep it there?  Why should we all resort to migrating our 
standard services to non-standard ports, simply because a few 
[expletives deleted] script kiddies can't keep their packets to 
themselves?  It's also advocating security by obscurity, to hide sshd 
on another port.  Eventually the "bad guys" will just test every port, 
and we'll have more unnecessary traffic to the box.

	I don't know about you, but I'm not going to let a few immature 
teenagers who've hijacked a network of Linux boxes, setup by a 
"know-it-all" Linux newbie for his folks, bully me out of doing things 
the right way, or hiding outside of standardized channels.  Certainly 
never invite trouble...  But running from it doesn't make you much 
safer.  (Maybe it's time somebody whipped up a rule for pf, that would 
direct garbage replies in response to packets we want to deny, instead 
of just dropping them?  Actually, it probably won't do much to the 
attackers, besides confuse them.)


> Nicolas

--
Adam David Alan Martin




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443e3284d31c7c017677e4e8f7e0ba89>