From owner-freebsd-questions@FreeBSD.ORG Tue Jan 12 09:42:10 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 84C6C1065670 for ; Tue, 12 Jan 2010 09:42:10 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 37B678FC12 for ; Tue, 12 Jan 2010 09:42:09 +0000 (UTC) Received: from beta.1-16-172-dyn.locolomo.org (unknown [172.16.1.127]) by mail.locolomo.org (Postfix) with ESMTPSA id 18BFC1C1A67; Tue, 12 Jan 2010 10:42:07 +0100 (CET) Message-ID: <4B4C43EE.6080703@locolomo.org> Date: Tue, 12 Jan 2010 10:42:06 +0100 From: Erik Norgaard User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Anton Shterenlikht References: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk> In-Reply-To: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re: denying spam hosts ssh access - good idea? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jan 2010 09:42:10 -0000 Anton Shterenlikht wrote: > I'm thinking of denying ssh access to host from which > I get brute force ssh attacks. This is a returning topic, search the archives. Anyway, the returning answer: - why not let your firewall do the blocking? If your blocking is IP based that's the place to block. - why do you default to allow? How about default block, and then add the few good networks you know that actually need access? Restricting access to your own continent is a good start. I made this tool to create lists of ip ranges for individual countries: http://www.locolomo.org/pub/src/toolbox/inet.pl if you're in US then it may not work since some US companies have ranges delegated directly by IANA rather than ARIN, but these are few so it's easy to add ranges manually, check the list here: http://www.iana.net/assignments/ipv4-address-space/ipv4-address-space.xml - why allow password based authentication? disable password based authentication and rely on keys, then you can ignore all the brute force attempts. - above not a solution? See if you can tweak the sshd_config: MaxAuthTries MaxStartups can slow down brute force attacks preventing it from sucking up resources. Disable root login, restrict login to real users, if you have a group "users" just restrict to that using AllowGroups. - trying to block individual offending hosts is futile, the attacker will usually try maybe a 1000 times, but the next one will likely come from a different address. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org