From owner-freebsd-questions@FreeBSD.ORG  Mon Nov 13 06:05:30 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D0B3C16A407
	for <freebsd-questions@freebsd.org>;
	Mon, 13 Nov 2006 06:05:30 +0000 (UTC) (envelope-from ewhac@best.com)
Received: from ewhac.best.vwh.net (ewhac.best.vwh.net [192.220.66.121])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 92E7C43D5A
	for <freebsd-questions@freebsd.org>;
	Mon, 13 Nov 2006 06:05:30 +0000 (GMT) (envelope-from ewhac@best.com)
Received: (qmail 62855 invoked by uid 17017); 13 Nov 2006 06:05:30 -0000
Received: from unknown (HELO walkies.ewhac.org) ([127.0.0.1])
	(envelope-sender <ewhac@best.com>)
	by 127.0.0.1 (qmail-ldap-1.03) with SMTP
	for <freebsd-questions@freebsd.org>; 13 Nov 2006 06:05:30 -0000
Received: from ewhac by walkies.ewhac.org with local (Exim 3.36 #1 (Debian))
	id 1GjUwi-00025F-00
	for <freebsd-questions@freebsd.org>; Sun, 12 Nov 2006 22:05:28 -0800
Date: Sun, 12 Nov 2006 22:05:28 -0800
To: freebsd-questions@freebsd.org
Message-ID: <20061113060528.GA7646@best.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.13 (2006-08-11)
From: "Leo L. Schwab" <ewhac@best.com>
Subject: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2006 06:05:30 -0000

	I recently installed FreeBSD 6.1 on my gateway.  It replaced an
installation of FreeBSD 4.6.8 (fresh install, not an upgrade) on which I had
disabled the SSH server.  Since all the bugs in SSH are fixed now ( :-) ), I
thought I'd leave the server on, and am somewhat dismayed to discover that I
now get occasional brute-force/dictionary attacks on the port.

	A little Googling revealed a couple of potentially useful tools:
'sshit' and 'bruteblock', both of which notice repeated login attempts from
a given IP address and blackhole it in the firewall.  I first tried 'sshit',
but after a couple days, I noticed in my daily reports that I was still
getting lengthy bruteforce attempts, suggesting the 'sshit' was not working.

	So I uninstalled 'sshit' and installed 'bruteblock'.  But again a
couple days later, the logs showed lengthy bruteforce attempts going
unblocked.

	The relevant lines from my /etc/syslog.conf file are:

----
auth.info;authpriv.info				/var/log/auth.log
auth.info;authpriv.info		| exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock/ssh.conf
----

	Any hints as to what I might be doing wrong?

					Thanks,
					Schwab