From owner-freebsd-questions@FreeBSD.ORG  Tue Jan 12 09:54:05 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 18FDB1065670
	for <freebsd-questions@freebsd.org>;
	Tue, 12 Jan 2010 09:54:05 +0000 (UTC)
	(envelope-from mexas@bristol.ac.uk)
Received: from dirg.bris.ac.uk (dirg.bris.ac.uk [137.222.10.102])
	by mx1.freebsd.org (Postfix) with ESMTP id CA6A18FC12
	for <freebsd-questions@freebsd.org>;
	Tue, 12 Jan 2010 09:54:04 +0000 (UTC)
Received: from seis.bris.ac.uk ([137.222.10.93])
	by dirg.bris.ac.uk with esmtp (Exim 4.69)
	(envelope-from <mexas@bristol.ac.uk>)
	id 1NUdRm-0000ww-J1; Tue, 12 Jan 2010 09:54:03 +0000
Received: from mech-cluster241.men.bris.ac.uk ([137.222.187.241])
	by seis.bris.ac.uk with esmtp (Exim 4.67)
	(envelope-from <mexas@bristol.ac.uk>)
	id 1NUdRl-000324-Jx; Tue, 12 Jan 2010 09:53:58 +0000
Received: from mech-cluster241.men.bris.ac.uk (localhost [127.0.0.1])
	by mech-cluster241.men.bris.ac.uk (8.14.3/8.14.3) with ESMTP id
	o0C9rvdR069280; Tue, 12 Jan 2010 09:53:57 GMT
	(envelope-from mexas@bristol.ac.uk)
Received: (from mexas@localhost)
	by mech-cluster241.men.bris.ac.uk (8.14.3/8.14.3/Submit) id
	o0C9rvEa069279; Tue, 12 Jan 2010 09:53:57 GMT
	(envelope-from mexas@bristol.ac.uk)
X-Authentication-Warning: mech-cluster241.men.bris.ac.uk: mexas set sender to
	mexas@bristol.ac.uk using -f
Date: Tue, 12 Jan 2010 09:53:57 +0000
From: Anton Shterenlikht <mexas@bristol.ac.uk>
To: Erik Norgaard <norgaard@locolomo.org>
Message-ID: <20100112095357.GD61863@mech-cluster241.men.bris.ac.uk>
References: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk>
	<4B4C43EE.6080703@locolomo.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <4B4C43EE.6080703@locolomo.org>
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Spam-Score: -1.5
X-Spam-Level: -
Cc: Anton Shterenlikht <mexas@bristol.ac.uk>, freebsd-questions@freebsd.org
Subject: Re: denying spam hosts ssh access - good idea?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2010 09:54:05 -0000

On Tue, Jan 12, 2010 at 10:42:06AM +0100, Erik Norgaard wrote:
> Anton Shterenlikht wrote:
> > I'm thinking of denying ssh access to host from which
> > I get brute force ssh attacks.
> 
> This is a returning topic, search the archives. Anyway, the returning 
> answer:
> 
> - why not let your firewall do the blocking? If your blocking is IP 
> based that's the place to block.

I'm already under the University firewall. Only port 22 is let through.
But even that filles my logs.

> - why do you default to allow? How about default block, and then add the 
> few good networks you know that actually need access? Restricting access 
> to your own continent is a good start. I made this tool to create lists 
> of ip ranges for individual countries:
> 
>    http://www.locolomo.org/pub/src/toolbox/inet.pl
> 
> if you're in US then it may not work since some US companies have ranges 
> delegated directly by IANA rather than ARIN, but these are few so it's 
> easy to add ranges manually, check the list here:
> 
> http://www.iana.net/assignments/ipv4-address-space/ipv4-address-space.xml

thanks, will look at this

> - why allow password based authentication? disable password based 
> authentication and rely on keys, then you can ignore all the brute force 
> attempts.

I don't allow password based authentication.

> - above not a solution? See if you can tweak the sshd_config:
> 
>      MaxAuthTries
>      MaxStartups
> 
> can slow down brute force attacks preventing it from sucking up resources.

also a good idea, will look at this.

> Disable root login, restrict login to real users, if you have a group 
> "users" just restrict to that using AllowGroups.

yes, this is in place.

> - trying to block individual offending hosts is futile, the attacker 
> will usually try maybe a 1000 times, but the next one will likely come 
> from a different address.

I guess this answers my question most directly.

>From all the replies I got so far I gather that /etc/hosts.allow
exists a historical heritage and no real use is made of it
nowadays. Although some people appear to like it (e.g. Samuel Martín Moro).

many thanks for your help and support.
anton


-- 
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 331 5944
Fax: +44 (0)117 929 4423