Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 13 Nov 2006 08:58:48 -0600
From:      "eculp@encontacto.net" <eculp@encontacto.net>
To:        freebsd-questions@freebsd.org
Subject:   Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
Message-ID:  <20061113085848.hhrckc0etc0scgww@correo.encontacto.net>
In-Reply-To: <3ee9ca710611130629s28f957c7x362c61dbfbe5cacf@mail.gmail.com>
References:  <20061113060528.GA7646@best.com> <455836A2.6010004@gmx.net> <20061113060356.E202.GERARD@seibercom.net> <3ee9ca710611130629s28f957c7x362c61dbfbe5cacf@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Andy Greenwood <greenwood.andy@gmail.com>:

> On 11/13/06, Gerard Seibert <gerard@seibercom.net> wrote:
>> On Monday November 13, 2006 at 04:10:58 (AM) Frank Staals wrote:
>>
>>
>>> I had the same 'problem'. As said it's not realy a problem since FreeBSD
>>> will hold just fine if you don't have any rather stupid user + pass
>>> combinations. ( test test or something like that ) Allthough I thought
>>> it was annoying that my intire log was clouded with those brute force
>>> attacks so I just set sshd to listen at an other port then 22. Maybe
>>> that's a acceptable solusion for you ? You can change the ssd port in
>>> /etc/ssh/sshd_config
>>
>> Security through obscurity is a bad idea. Rather, use SSH key based
>> authentication exclusively.  Turn off all of the password stuff in
>> sshd_config.  Laugh at the poor fools trying to break in.
>
> I second this notion. I had bruteforceblocker running and recently
> switched to key based auth only. The good news is no one is breaking
> in. the bad news is that my server is remote and difficult to get
> physical access to and the only key I uploaded initially was my work
> PC. Tried to get in from home over the weekend and found that I had
> locked myself out! doh! Just make sure that you have at least one PC
> you can get to from anywhere which has a key to get into your server.

If you are using pf.  A quick google search give you several differing =20
versions of what I am using on the servers that I maintain.

http://www.google.com.mx/search?hl=3Des&q=3D%2Bmax-src-conn-rate+%2Bpf+brute=
+force&btnG=3DB%C3%BAsqueda+en+Google&meta=3D

They are all max-src-conn-rate based and use the sysutils/expiretable =20
port to clear the blocked IP's.

An example that I haven't read is here:

http://johan.fredin.info/openbsd/block_ssh_bruteforce.html

I just took one and tweaked it over time and it works great.

I only allow 3 login attempts in 30 minutes, so the brute who is =20
trying to force his way in had better be a very good guesser;)

I did a bit of restricting in sshd_config also but only remember MaxAuthTrie=
s,

An unexpected side effect of this is that now I get only one or two =20
attempts a day and before there were multiple, simultaneous attempts =20
24 horas a day.

In my daily security report I see something like todays, everyday.

Nov 12 10:22:15 HOME sshd[82578]: Invalid user staff from 203.152.218.209
Nov 12 10:22:22 HOME sshd[83191]: Invalid user sales from 203.152.218.209
Nov 12 10:22:29 HOME sshd[83489]: Invalid user recruit from 203.152.218.209
Nov 12 12:47:10 HOME sshd[18369]: Invalid user staff from 24.11.169.203
Nov 12 12:47:12 HOME sshd[18421]: Invalid user sales from 24.11.169.203
Nov 12 12:47:15 HOME sshd[18425]: Invalid user recruit from 24.11.169.203

Before there were pages and pages.  If you aren't using PF there may =20
be something similar to max-src-conn-rate in your firewall, if not, =20
you may want to convert ;)

Good luck,

ed

>>
>>
>> --
>> Gerard
>>
>>     Mail from '@gmail' is rejected and/or discarded here. Don't waste
>>     your time!
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o=
rg"
>>
>
>
> --=20
> I'm nerdy in the extreme and whiter than sour cream
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.or=
g"





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061113085848.hhrckc0etc0scgww>