Date: Sun, 02 Oct 2005 20:03:09 -0400 From: Mike Tancsa <mike@sentex.net> To: freebsd-security@freebsd.org Subject: Re: Repeated attacks via SSH Message-ID: <6.2.3.4.0.20051002181843.07cc9c10@64.7.153.2> In-Reply-To: <200510022208.j92M8joS016722@gw.catspoiler.org> References: <6.2.3.4.2.20051002153930.07a50528@localhost> <200510022208.j92M8joS016722@gw.catspoiler.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 06:08 PM 02/10/2005, Don Lewis wrote: > > practical, everyone limit SSH logins to the minimum possible number > > of users via the "AllowUsers" directive. We also have a log monitor > > that watches the logs (/var/log/auth.log in particular) and > > blackholes hosts that seem to be trying to break in via SSH. > >It's also a good idea to only allow public key authentication from >remote hosts. This avoids the risks of password guessing and password >capture by shoulder surfers or key loggers. Couple of other things to add, deny all access via hosts.allow and only let in those who are supposed to come in launch sshd from inetd and then use the rate limiting feature of inetd (e.g. -C 10) to reject hosts with more than 10 connections attempts from a single IP per minute Move to a different port than the default 22 to avoid scanners use "port knocking" to dynamically allow a remote host to see port 22 (/usr/ports/security/doorman) Also saw someone post on the openbsd list to use pf to rate limit (http://groups.google.ca/group/lucky.openbsd.misc/tree/browse_frm/thread/86320212088ec09/42313fa39522f2b7?rnum=1&hl=en&q=openbsd+ssh+crackers+pf+table+ssh&_done=%2Fgroup%2Flucky.openbsd.misc%2Fbrowse_frm%2Fthread%2F86320212088ec09%2F605665a2b79f493b%3Flnk%3Dst%26q%3Dopenbsd+ssh+crackers+pf+table+ssh%26rnum%3D1%26hl%3Den%26#doc_605665a2b79f493b) -------- table <crackers> persist file "/etc/tables/crackers" block in quick from <crackers> pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA modulate state \ (max-src-conn 5, max-src-conn-rate 4/60, overload <crackers> flush global) crontab: 0 * * * * pfctl -t crackers -Tsh > /etc/tables/crackers -------------- ---Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.3.4.0.20051002181843.07cc9c10>