From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 00:03:11 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6A2116A41F for ; Mon, 3 Oct 2005 00:03:10 +0000 (GMT) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BE4443D46 for ; Mon, 3 Oct 2005 00:03:10 +0000 (GMT) (envelope-from mike@sentex.net) Received: from pumice6.sentex.ca (pumice6.sentex.ca [64.7.153.21]) by smarthost1.sentex.ca (8.13.3/8.13.3) with ESMTP id j930397H054460 for ; Sun, 2 Oct 2005 20:03:09 -0400 (EDT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by pumice6.sentex.ca (8.13.3/8.13.3) with ESMTP id j93038lX090501 for ; Sun, 2 Oct 2005 20:03:09 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.3/8.13.3) with ESMTP id j930374D054766 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 2 Oct 2005 20:03:07 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.2.3.4.0.20051002181843.07cc9c10@64.7.153.2> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Sun, 02 Oct 2005 20:03:09 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: <200510022208.j92M8joS016722@gw.catspoiler.org> References: <6.2.3.4.2.20051002153930.07a50528@localhost> <200510022208.j92M8joS016722@gw.catspoiler.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Scanned-By: MIMEDefang 2.51 on 64.7.153.18 X-Scanned-By: MIMEDefang 2.53 on 64.7.153.21 Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 00:03:11 -0000 At 06:08 PM 02/10/2005, Don Lewis wrote: > > practical, everyone limit SSH logins to the minimum possible number > > of users via the "AllowUsers" directive. We also have a log monitor > > that watches the logs (/var/log/auth.log in particular) and > > blackholes hosts that seem to be trying to break in via SSH. > >It's also a good idea to only allow public key authentication from >remote hosts. This avoids the risks of password guessing and password >capture by shoulder surfers or key loggers. Couple of other things to add, deny all access via hosts.allow and only let in those who are supposed to come in launch sshd from inetd and then use the rate limiting feature of inetd (e.g. -C 10) to reject hosts with more than 10 connections attempts from a single IP per minute Move to a different port than the default 22 to avoid scanners use "port knocking" to dynamically allow a remote host to see port 22 (/usr/ports/security/doorman) Also saw someone post on the openbsd list to use pf to rate limit (http://groups.google.ca/group/lucky.openbsd.misc/tree/browse_frm/thread/86320212088ec09/42313fa39522f2b7?rnum=1&hl=en&q=openbsd+ssh+crackers+pf+table+ssh&_done=%2Fgroup%2Flucky.openbsd.misc%2Fbrowse_frm%2Fthread%2F86320212088ec09%2F605665a2b79f493b%3Flnk%3Dst%26q%3Dopenbsd+ssh+crackers+pf+table+ssh%26rnum%3D1%26hl%3Den%26#doc_605665a2b79f493b) -------- table persist file "/etc/tables/crackers" block in quick from pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA modulate state \ (max-src-conn 5, max-src-conn-rate 4/60, overload flush global) crontab: 0 * * * * pfctl -t crackers -Tsh > /etc/tables/crackers -------------- ---Mike