From owner-freebsd-hackers@FreeBSD.ORG Tue Sep 30 08:22:24 2008 Return-Path: Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3FB81065694 for ; Tue, 30 Sep 2008 08:22:24 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id 3F2CD8FC1F for ; Tue, 30 Sep 2008 08:22:24 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id m8U8MMwS026150; Tue, 30 Sep 2008 10:22:22 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.3/8.14.3/Submit) id m8U8MMXV026149; Tue, 30 Sep 2008 10:22:22 +0200 (CEST) (envelope-from olli) Date: Tue, 30 Sep 2008 10:22:22 +0200 (CEST) Message-Id: <200809300822.m8U8MMXV026149@lurza.secnetix.de> From: Oliver Fromme To: freebsd-hackers@FreeBSD.ORG, healey.rich@gmail.com In-Reply-To: <48E16E93.3090601@gmail.com> X-Newsgroups: list.freebsd-hackers User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.4-PRERELEASE-20080904 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Tue, 30 Sep 2008 10:22:22 +0200 (CEST) Cc: Subject: Re: SSH Brute Force attempts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-hackers@FreeBSD.ORG, healey.rich@gmail.com List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 08:22:24 -0000 Rich Healey wrote: > Recently I'm getting a lot of brute force attempts on my server, in the > past I've used various tips and tricks with linux boxes but many of them > were fairly linux specific. > > What do you BSD guys use for this purpose? There's nothing that replaces using either *good* passwords or *no* passwords at all (i.e. ssh keys instead). I completely agree with Jeremy Chadwick that using programs that change your packet filter rules automatically can be dangerous. I recommend against this. Especially it does not protect you if you have weak passwords. In fact it might open a hole that someone can successfully run a DoS attack against your machine by spoofing one of your own IP addresses, or the IP address of your upstream router, or DNS server, or whatever. If you're merely annoyed about the large amount of logging entries caused by the break-in attempts, a good solution is to move the sshd service from the standard port 22 to a different, non-standard port (e.g. 222 or whatever, but it should be a "reserved" port, i.e. less than 1024 which is the default high limit for the reserved port range). Most attackers are just "script kiddies" that use automated software that tries only port 22. You can put an entry in ~/.ssh/config on your client machines so you don't even have to remember to specify the port number when ssh'ing to your server. Alternatively you can configure sshd to listen on port 22 *and* an alternate port, and block port 22 for everything except a few known-good addresses or networks. That way you don't have to do anything special when connecting from any of your usual clients, but you can still connect from anywhere else if necessary by using the non-standard port. Of course, the non-standard port trick is *not* a security measure. It only makes your machine "a little bit more invisible" to script kiddies and prevents them from filling your log files. It might also give you a very small advance in case of zero-day attacks. It does *not* help against weak passwords or lazyness to patch known holes, or other kinds of operator failure. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "What is this talk of 'release'? We do not make software 'releases'. Our software 'escapes', leaving a bloody trail of designers and quality assurance people in its wake."