From owner-freebsd-hackers@FreeBSD.ORG Tue Sep 30 03:30:37 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 020B11065686 for ; Tue, 30 Sep 2008 03:30:37 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA07.westchester.pa.mail.comcast.net (qmta07.westchester.pa.mail.comcast.net [76.96.62.64]) by mx1.freebsd.org (Postfix) with ESMTP id A0EAD8FC17 for ; Tue, 30 Sep 2008 03:30:35 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA03.westchester.pa.mail.comcast.net ([76.96.62.27]) by QMTA07.westchester.pa.mail.comcast.net with comcast id LaX51a00K0bG4ec57rWbkR; Tue, 30 Sep 2008 03:30:35 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA03.westchester.pa.mail.comcast.net with comcast id LrWa1a0044v8bD73PrWaf8; Tue, 30 Sep 2008 03:30:35 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=CLaWMW6dw41VfP3uds8A:9 a=VUXX8aRY620ZxVroSdUA:7 a=k2YaZhu2Pda6qTkYZIs6LBTVb9MA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id D2659C9419; Mon, 29 Sep 2008 20:30:33 -0700 (PDT) Date: Mon, 29 Sep 2008 20:30:33 -0700 From: Jeremy Chadwick To: Rich Healey Message-ID: <20080930033033.GA35849@icarus.home.lan> References: <48E16E93.3090601@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48E16E93.3090601@gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-hackers@freebsd.org Subject: Re: SSH Brute Force attempts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 03:30:37 -0000 On Tue, Sep 30, 2008 at 10:10:59AM +1000, Rich Healey wrote: > Recently I'm getting a lot of brute force attempts on my server, in the > past I've used various tips and tricks with linux boxes but many of them > were fairly linux specific. > > What do you BSD guys use for this purpose? This probably should've gone to -security, correct. There are 3 ports which people often use for solving this: ports/security/blocksshd ports/security/sshblock ports/security/sshguard-(pf|ipfw|ipfilter) The latter depends on which firewalling stack you use, and I believe one of the other two only work with ipfw (I forget which). I have great reservations using any of these, because they dynamically add firewalling rules/tables to your machines based on data in log files. For me, it smells of an accident waiting to happen. I'm an advocate of simply blocking large netblocks where most of these attacks come from (Latin America, eastern Europe, Asia, and Russia). This requires that you appropriately tune things over time, and *be intelligent* about what you're doing. :-) What we use in our pf.conf on our production systems: table persist file "/conf/ME/pf.conf.ssh-allow" table persist file "/conf/ME/pf.conf.ssh-deny" block in on $ext_if proto tcp from to any port ssh pass in on $ext_if proto tcp from to any port ssh flags S/SA keep state pf.conf.ssh-deny contains a list of IPs or CIDRs which are to be blocked. I can provide this file if desired. pf.conf.ssh-allow contains a list of IPs or CIDRs which "override" blocks in the previous "block" rule. The reason we have this is due to one Russian user who wasn't able to SSH into our boxes due to the previous block rule. You naturally have to keep pf.conf.ssh-* in sync if you have multiple machines. You can use pfsync(4) to accomplish this task (I think), or you can do it the obvious way (make a central distribution box that scp/rsync's the files out and runs "/etc/rc.d/pf reload"). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |