From owner-freebsd-questions@FreeBSD.ORG Mon Nov 13 15:18:30 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D396716A416 for ; Mon, 13 Nov 2006 15:18:30 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from farris.bafirst.com (adsl-065-081-102-002.sip.jan.bellsouth.net [65.81.102.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B29E442FC for ; Mon, 13 Nov 2006 14:59:07 +0000 (GMT) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.17.4]) by farris.bafirst.com with esmtp; Mon, 13 Nov 2006 08:58:49 -0600 id 0006D40C.4558882A.000182FD Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Mon, 13 Nov 2006 08:58:48 -0600 id 0004AC25.45588828.0000474D Received: from dsl-189-129-17-4.prod-infinitum.com.mx (dsl-189-129-17-4.prod-infinitum.com.mx [189.129.17.4]) by correo.encontacto.net (Horde MIME library) with HTTP; Mon, 13 Nov 2006 08:58:48 -0600 Message-ID: <20061113085848.hhrckc0etc0scgww@correo.encontacto.net> X-Priority: 3 (Normal) Date: Mon, 13 Nov 2006 08:58:48 -0600 From: "eculp@encontacto.net" To: freebsd-questions@freebsd.org References: <20061113060528.GA7646@best.com> <455836A2.6010004@gmx.net> <20061113060356.E202.GERARD@seibercom.net> <3ee9ca710611130629s28f957c7x362c61dbfbe5cacf@mail.gmail.com> In-Reply-To: <3ee9ca710611130629s28f957c7x362c61dbfbe5cacf@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2-cvs) Subject: Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Nov 2006 15:18:31 -0000 Quoting Andy Greenwood : > On 11/13/06, Gerard Seibert wrote: >> On Monday November 13, 2006 at 04:10:58 (AM) Frank Staals wrote: >> >> >>> I had the same 'problem'. As said it's not realy a problem since FreeBSD >>> will hold just fine if you don't have any rather stupid user + pass >>> combinations. ( test test or something like that ) Allthough I thought >>> it was annoying that my intire log was clouded with those brute force >>> attacks so I just set sshd to listen at an other port then 22. Maybe >>> that's a acceptable solusion for you ? You can change the ssd port in >>> /etc/ssh/sshd_config >> >> Security through obscurity is a bad idea. Rather, use SSH key based >> authentication exclusively. Turn off all of the password stuff in >> sshd_config. Laugh at the poor fools trying to break in. > > I second this notion. I had bruteforceblocker running and recently > switched to key based auth only. The good news is no one is breaking > in. the bad news is that my server is remote and difficult to get > physical access to and the only key I uploaded initially was my work > PC. Tried to get in from home over the weekend and found that I had > locked myself out! doh! Just make sure that you have at least one PC > you can get to from anywhere which has a key to get into your server. If you are using pf. A quick google search give you several differing =20 versions of what I am using on the servers that I maintain. http://www.google.com.mx/search?hl=3Des&q=3D%2Bmax-src-conn-rate+%2Bpf+brute= +force&btnG=3DB%C3%BAsqueda+en+Google&meta=3D They are all max-src-conn-rate based and use the sysutils/expiretable =20 port to clear the blocked IP's. An example that I haven't read is here: http://johan.fredin.info/openbsd/block_ssh_bruteforce.html I just took one and tweaked it over time and it works great. I only allow 3 login attempts in 30 minutes, so the brute who is =20 trying to force his way in had better be a very good guesser;) I did a bit of restricting in sshd_config also but only remember MaxAuthTrie= s, An unexpected side effect of this is that now I get only one or two =20 attempts a day and before there were multiple, simultaneous attempts =20 24 horas a day. In my daily security report I see something like todays, everyday. Nov 12 10:22:15 HOME sshd[82578]: Invalid user staff from 203.152.218.209 Nov 12 10:22:22 HOME sshd[83191]: Invalid user sales from 203.152.218.209 Nov 12 10:22:29 HOME sshd[83489]: Invalid user recruit from 203.152.218.209 Nov 12 12:47:10 HOME sshd[18369]: Invalid user staff from 24.11.169.203 Nov 12 12:47:12 HOME sshd[18421]: Invalid user sales from 24.11.169.203 Nov 12 12:47:15 HOME sshd[18425]: Invalid user recruit from 24.11.169.203 Before there were pages and pages. If you aren't using PF there may =20 be something similar to max-src-conn-rate in your firewall, if not, =20 you may want to convert ;) Good luck, ed >> >> >> -- >> Gerard >> >> Mail from '@gmail' is rejected and/or discarded here. Don't waste >> your time! >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" >> > > > --=20 > I'm nerdy in the extreme and whiter than sour cream > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.or= g"