Date: Thu, 21 Aug 2008 16:39:32 -0700 (PDT) From: Dewayne Geraghty <dewayne_freebsd@yahoo.com> To: Rink Springer <rink@freebsd.org>, Brooks Davis <brooks@freebsd.org> Cc: Mikhail Teterin <mi+mill@aldan.algebra.com>, Jeremy Chadwick <koitsu@freebsd.org>, freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts Message-ID: <446595.9807.qm@web46413.mail.sp1.yahoo.com> In-Reply-To: <20080821203703.GA47728@lor.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help
There are many excellent suggestions on how to deal with invalid/unauthoris=
ed access attempts via ssh.=C2=A0 I'd used sshguard for around 8 months but=
recently changed to bruteblock, both are in the ports/security.=C2=A0 sshg=
uard was very easy to configure, via rc.conf arguments. =C2=A0=C2=A0 Bruteb=
lock handled the same problem more elegantly: uses two processes one for mo=
nitoring audit.log, via a pipe and one for maintaining the ipfw table entri=
es, it uses the ipfw table value with the date/time entered, and the C code=
is cleaner (some optimisations are possible but this is V0.5).=C2=A0=20
If you'd like to try it here are the steps I used to get it going:
Install package
Configure /usr/local/etc/bruteblock-ssh.conf (Using regexp
from sample, but modify parameters to suite your environment.)
regexp=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D
sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
regexp1=C2=A0=C2=A0=C2=A0=C2=A0 =3D
sshd.*Failed password for (?:illegal user )?\S+ from
(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
# three failures in 3 minutes is blocked for a day, using ipfw2 table 10max=
_count=C2=A0=C2=A0 =3D 3
within_time =3D 180
reset_ip=C2=A0=C2=A0=C2=A0 =3D 86400
ipfw2_table_no =3D 10
=C2=A0
Insert into "/etc/syslog.conf"
auth.info;authpriv.info |exec /usr/local/sbin/bruteblock =E2=80=93f /usr/lo=
cal/etc/bruteblock-ssh.conf
Add to firewall rules (and /etc/rc.firewall)ipfw add 4 deny ip from table\(=
10\) to any
ipfw add 4 deny ip from any to table\(10\)=C2=A0Add into /etc/rc.confbruteb=
lockd_enable=3D"YES"
bruteblockd_table=3D"10"
bruteblockd_flags=3D"-s 7200"=C2=A0 # How frequently to review the ipfw tab=
le for entry removal=C2=A0Now restart syslog, and start bruteblockd/etc/rc.=
d/syslogd restart
/usr/local/etc/rc.d/bruteblockd.sh start
=0A=0A=0A Win a MacBook Air or iPod touch with Yahoo!7. http://au.docs=
..yahoo.com/homepageset
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?446595.9807.qm>