From owner-freebsd-questions@FreeBSD.ORG Tue Jan 19 09:52:16 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C665D106566C for ; Tue, 19 Jan 2010 09:52:16 +0000 (UTC) (envelope-from dan@slightlystrange.org) Received: from catflap.slightlystrange.org (cpc2-cmbg1-0-0-cust385.cmbg.cable.ntl.com [82.21.105.130]) by mx1.freebsd.org (Postfix) with ESMTP id 2A0768FC14 for ; Tue, 19 Jan 2010 09:52:15 +0000 (UTC) Received: from dan by catflap.slightlystrange.org with local (Exim 4.71 (FreeBSD)) (envelope-from ) id 1NXAkx-0005AD-8A for freebsd-questions@freebsd.org; Tue, 19 Jan 2010 09:52:15 +0000 Date: Tue, 19 Jan 2010 09:52:15 +0000 From: Daniel Bye To: freebsd-questions@freebsd.org Message-ID: <20100119095215.GJ3611@catflap.slightlystrange.org> Mail-Followup-To: freebsd-questions@freebsd.org References: <201001182239.20153.david@vizion2000.net> <201001190222.03539.oloringr@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201001190222.03539.oloringr@gmail.com> User-Agent: Mutt/1.4.2.3i X-PGP-Fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A X-Operating-System: FreeBSD 8.0-STABLE amd64 Sender: Daniel Bye Subject: Re: /etc/hosts.deniedssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Bye List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jan 2010 09:52:17 -0000 On Tue, Jan 19, 2010 at 02:22:03AM +0200, Ed Jobs wrote: > On Tuesday 19 January 2010 00:39, David Southwell wrote: > > Examples from hosts.deniedssh > > I seem to be on the receiving end of a concerted series of unsuccessful > > break in attacks on one of our systems. One small part of the attack > has > > resulted in over 2000 entries in our hosts.deniedssh file in less than 1 > > hour. > > > > I would be interested in any comments on the small example shown > below and > > any advice. > > > > Thanks in advance > > > > David > > > 2k entries are too much indeed. Really? wc -l /etc/hosts.deniedssh 12476 /etc/hosts.deniedssh Unless you mean specifically that a couple thousand in an hour is a lot, which I'd agree with, but wouldn't necessarily worry about it. > are you running ssh on port 22? > if yes, (and your users are ok with it) you can change it to another port. No, don't do that. Instead, consider using public key authentication and disabling password authentication. There are also various settings you can tweak to control the number of unsuccessful login attempts you are prepared to tolerate from an address in a predefined interval. sshd_config(5) will show you the way. Additionally, put all your permitted ssh users in a new group, and set the sshd config option AllowGroups. Better yet, as others have suggested, filter with a firewall - if you use pf, you can leverage your /etc/hosts.deniedssh file by using it to populate a pf table. You will need to configure DenyHosts to not resolve ip addresses, and then you can put these in /etc/pf.conf: table persist file "/etc/hosts.deniedssh" block in log quick on $ext_if from to any (Be sure to put these in suitable places. I don't have examples of using ipf or ipfw, but I'm sure they can handle it just as well.) DenyHosts provides a plugin system that allows you to run an arbitrary command upon addition or purging of an address. I use it to reload my pf table so I can be reasonably sure that the firewall's opinion of whom to block is congruent with what DenyHosts thinks. A simple `pfctl -t denyhosts -T reload -f /etc/hosts.deniedssh' should be sufficient in either case, but you can get as fancy as you like. > or maybe, temporary disable ssh login and use cron to enable it again in > some time in the future. I would recommend against this, on the grounds that there may be a real administrative need to connect to the server during this dark period. With no ssh service until cron does its thing, you have no way of getting in, which makes me far more nervous than people knocking at my ssh port... Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \