From owner-freebsd-questions@FreeBSD.ORG Mon Jan 11 16:21:03 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A69D41065670 for ; Mon, 11 Jan 2010 16:21:03 +0000 (UTC) (envelope-from faust64@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 2B1288FC13 for ; Mon, 11 Jan 2010 16:21:02 +0000 (UTC) Received: by bwz5 with SMTP id 5so13838406bwz.3 for ; Mon, 11 Jan 2010 08:20:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=gUj3MsS67oMwEnjr4k+d2qq3Jic7Fj/H0J7S5d/o4B4=; b=MKJDEziBig8BLJdcaCGhps19ezjumXzgqKSs5348V12D3Uq8vmuJTLRMVWp+4WynWX 3Dle8/TZ+LD7lwrHQRhERNFbGU2T6adDyWvqRC/nZOWhwiSi46LtIqvzLhrP7GbNC512 kFtG01mHadtBAMNdjPQXdZPQF7mz1lEPmvlgk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=JKP38bV7QVaYDfDUtVQxiQxtpmr8WwH1otCV77YesS6f5vodyIW76nOX6orK/fuR3N 98yNQ36oqaRW1FVMNk6v3xdcTErhMcekHkqQx5xS8Ue5sfj1j5e+kzvCnwKMiz0iEohu lsp6Hs4Ui7RLzO54nq0D9GpGROXF5XPEsZTXM= MIME-Version: 1.0 Received: by 10.204.33.14 with SMTP id f14mr1988703bkd.108.1263226859095; Mon, 11 Jan 2010 08:20:59 -0800 (PST) In-Reply-To: <20100111155949.GA61863@mech-cluster241.men.bris.ac.uk> References: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk> <4B4B42D0.9070101@infracaninophile.co.uk> <20100111155949.GA61863@mech-cluster241.men.bris.ac.uk> From: =?ISO-8859-1?Q?Samuel_Mart=EDn_Moro?= Date: Mon, 11 Jan 2010 17:20:39 +0100 Message-ID: To: Anton Shterenlikht Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: denying spam hosts ssh access - good idea? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jan 2010 16:21:03 -0000 I had the same ssh-bruteforce troubles. Here's the script I use against that. It's in cron, launched every 2 minutes. #!/bin/sh AUTH=3D/var/log/auth.log BKLST=3D/var/log/blacklist.log HOSTS=3D/etc/hosts DHOSTS=3D/etc/hosts.deny cat $AUTH | egrep -i "(illegal|invalid|failed)" | awk -F "from" '{print $2}= ' | awk '{print $1}' | sort -u >$BKLST for i in `cat $BKLST`; do nerr=3D`cat $AUTH | egrep -i "(illegal|invalid|failed)" | grep $i | wc = -l` if [ "$nerr" -ge "3" -a -z "`cat $HOSTS | grep $i`" -a -z "`cat $DHOSTS | grep $i`" ]; then echo "ALL : $i # matched on `date`" >>$DHOSTS fi done #nota: I added my home & work IPs to /etc/hosts I can't use ssh-keys (many of my users don't know how that works/what it is). But if you can do it, you should. Samuel Mart=EDn Moro On Mon, Jan 11, 2010 at 4:59 PM, Anton Shterenlikht wr= ote: > On Mon, Jan 11, 2010 at 03:25:04PM +0000, Matthew Seaman wrote: > > Anton Shterenlikht wrote: > > > I'm thinking of denying ssh access to host from which > > > I get brute force ssh attacks. > > > > > > HOwever, I see in /etc/hosts.allow: > > > > > > # Wrapping sshd(8) is not normally a good idea, but if you > > > # need to do it, here's how > > > #sshd : .evil.cracker.example.com : deny > > > > > > Why is it not a good idea? > > > > Probably because ssh is likely to be the only method of login access > > you have to a remote server, and hosts.allow could conceivably be spoof= ed > > into blocking your legitimate access? In any case, hosts.allow is a > poor relation to using a real firewall -- it has no access to the lower > level bits > > of the networking code, so has to allow a full tcp connection setup > before it > > can block anything. Some daemons allow quite a lot of interaction with > the > > remote site when using hosts.allow functionality -- eg. sendmail will > > apparently go through all of the stages of accepting an incoming e-mail > from > > a denied host, right up to the 'MAIL FROM...' section of the SMTP > transaction > > where it will respond with a 500 permanent failure error code. > [admittedly > > this does have the benefit that the other side will then immediately gi= ve > up > > trying to send the message if it's playing by the RFC rules. (Most > spam-bots > > don't, of course.) Otherwise, you'ld get the remote side retrying the > message > > several times an hour over the next 5 days before it timed out and gave > up. > > > > > Also, apparently in older ssh there was DenyHosts option, > > > but no longer in the current version. > > > Is there a replacement for DenyHOsts? > > > Or is there a good reason for such option not to be used? > > > > I believe you can do something like this: > > > > match address 192.168.23.0/24,172.16.0.0/16 > > ForceCommand /usr/sbin/nologin > > > > but this is not foolproof, as it is run via the users' login shell > > and a sufficiently cunning person can arrange for all sorts of > interesting > > things to happen from their shell initialization files... > > Matthew, this makes sense > > many thanks > anton > > -- > Anton Shterenlikht > Room 2.6, Queen's Building > Mech Eng Dept > Bristol University > University Walk, Bristol BS8 1TR, UK > Tel: +44 (0)117 331 5944 > Fax: +44 (0)117 929 4423 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >