From owner-freebsd-questions@FreeBSD.ORG Mon Nov 13 09:10:56 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4495C16AA99 for ; Mon, 13 Nov 2006 09:10:56 +0000 (UTC) (envelope-from frankstaals@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 86AD743D55 for ; Mon, 13 Nov 2006 09:10:55 +0000 (GMT) (envelope-from frankstaals@gmx.net) Received: (qmail invoked by alias); 13 Nov 2006 09:10:54 -0000 Received: from ip176-173-59-62.adsl.versatel.nl (EHLO [192.168.2.5]) [62.59.173.176] by mail.gmx.net (mp019) with SMTP; 13 Nov 2006 10:10:54 +0100 X-Authenticated: #25365336 Message-ID: <455836A2.6010004@gmx.net> Date: Mon, 13 Nov 2006 10:10:58 +0100 From: Frank Staals User-Agent: Thunderbird 1.5.0.4 (X11/20060706) MIME-Version: 1.0 To: "Leo L. Schwab" References: <20061113060528.GA7646@best.com> In-Reply-To: <20061113060528.GA7646@best.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: freebsd-questions@freebsd.org Subject: Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Nov 2006 09:10:56 -0000 Leo L. Schwab wrote: > I recently installed FreeBSD 6.1 on my gateway. It replaced an > installation of FreeBSD 4.6.8 (fresh install, not an upgrade) on which I had > disabled the SSH server. Since all the bugs in SSH are fixed now ( :-) ), I > thought I'd leave the server on, and am somewhat dismayed to discover that I > now get occasional brute-force/dictionary attacks on the port. > > A little Googling revealed a couple of potentially useful tools: > 'sshit' and 'bruteblock', both of which notice repeated login attempts from > a given IP address and blackhole it in the firewall. I first tried 'sshit', > but after a couple days, I noticed in my daily reports that I was still > getting lengthy bruteforce attempts, suggesting the 'sshit' was not working. > > So I uninstalled 'sshit' and installed 'bruteblock'. But again a > couple days later, the logs showed lengthy bruteforce attempts going > unblocked. > > The relevant lines from my /etc/syslog.conf file are: > > ---- > auth.info;authpriv.info /var/log/auth.log > auth.info;authpriv.info | exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock/ssh.conf > ---- > > Any hints as to what I might be doing wrong? > > Thanks, > Schwab > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > I had the same 'problem'. As said it's not realy a problem since FreeBSD will hold just fine if you don't have any rather stupid user + pass combinations. ( test test or something like that ) Allthough I thought it was annoying that my intire log was clouded with those brute force attacks so I just set sshd to listen at an other port then 22. Maybe that's a acceptable solusion for you ? You can change the ssd port in /etc/ssh/sshd_config Good luck, -- -Frank Staals