From owner-freebsd-questions@FreeBSD.ORG Fri Oct 8 11:05:24 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B949216A4CF for ; Fri, 8 Oct 2004 11:05:19 +0000 (GMT) Received: from makeworld.com (makeworld.com [198.92.228.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DAEE43D5D for ; Fri, 8 Oct 2004 11:05:19 +0000 (GMT) (envelope-from racerx@makeworld.com) Received: from localhost (localhost.com [127.0.0.1]) by makeworld.com (Postfix) with ESMTP id 5974B6430; Fri, 8 Oct 2004 06:05:18 -0500 (CDT) Received: from makeworld.com ([127.0.0.1]) by localhost (makeworld.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 38122-05; Fri, 8 Oct 2004 06:05:14 -0500 (CDT) Received: from [198.92.228.34] (racerx.makeworld.com [198.92.228.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by makeworld.com (Postfix) with ESMTP id 8C165642F; Fri, 8 Oct 2004 06:05:13 -0500 (CDT) Message-ID: <41667481.9040800@makeworld.com> Date: Fri, 08 Oct 2004 06:05:37 -0500 From: Chris User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040929) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daniel Bye References: <20041008074451.37565.qmail@web54004.mail.yahoo.com> <65066.154.8.22.73.1097231110.squirrel@154.8.22.73> In-Reply-To: <65066.154.8.22.73.1097231110.squirrel@154.8.22.73> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by ClamAV 0.75.1/amavisd-new-2.1.1 at makeworld.com - Isn't it ironic cc: freebsd-questions@freebsd.org Subject: Re: Protecting SSH from brute force attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Oct 2004 11:05:24 -0000 Daniel Bye wrote: > On Fri, 8 October, 2004 8:44 am, spam maps said: > >>Vulpes Velox wrote: >> >>>On Thu, 7 Oct 2004 15:15:25 -0700 (PDT) Luke wrote: >>> >>> >>>>There are several script kiddies out there hitting my SSH server >>>>every day. Sometimes they attempt to brute-force their way in >>> >>>man login.conf for more info :) >> >>I'm just guessing, but are you trying to tell me that "login-retries" in >>login.conf is useful? >> >>I have tried that by setting it to 2, but it seems to have no effect on >>the sshd login behaviour. I always can try the password 6 times: >> >>$ ssh myname@my.own.pc >>Password: >>Password: >>Password: >>myname@my.own.pc's password: >>Permission denied, please try again. >>myname@my.own.pc's password: >>Permission denied, please try again. >>myname@my.own.pc's password: >>Permission denied (publickey,password,keyboard-interactive). >>$ >> >>So could you be a little more specific as to where login.conf is of help >>here? > > > This is still only one *connection* - sshd will offer you (or anyone else > who can connect) a certain number of chances to prove your identity. > Login.conf can't help with this. You can configure sshd to stop offering > the keyboard-interactive auth method - set > > ChallengeResponseAuthentication no > > in /etc/ssh/sshd_config and HUP the daemon. You will no longer see the > first three Password: prompts. > > Login.conf can help you to limit the number of successive login attempts. > Make sure you run "cap_mkdb /etc/login.conf" whenever you edit the file, > or you will not enable your changes. > > Dan > In addition, if you use ipfw, do something like this: # Allow in SFTP, SSH, and SCP from public Internet ${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/xx to ${ip} 22 setup limit src-addr 4 This simply allows ssh access to a certain subnet etc. In addition, the limit src-addr 4 allows only 4 connects etc. -- Best regards, Chris The most important item in an order will no longer be available.