Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 05 Oct 2008 20:33:31 +0200
From:      mouss <mouss@netoyen.net>
Cc:        freebsd-current@freebsd.org
Subject:   Re: SSH Brute Force attempts
Message-ID:  <48E9087B.4070903@netoyen.net>
In-Reply-To: <20081005073409.62441itn43jvde80@econet.encontacto.net>
References:  <48E16E93.3090601@gmail.com> <48E4368E.4020404@gmail.com>	<4046.82.41.242.250.1223173482.squirrel@mail.elegosoft.com> <20081005073409.62441itn43jvde80@econet.encontacto.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
eculp wrote:
> Quoting sk@elegosoft.com:
> 
>> mornin'
>>
>>  Rich Healey wrote:
>>>> Recently I'm getting a lot of brute force attempts on my server, in the
>>>> past I've used various tips and tricks with linux boxes but many of 
>>>> them
>>>> were fairly linux specific.
>>
>>
>> disable pasword authentication OR use very strong passwords (24 chars)
>> OR use OTP
>>
>> if it is applicable you could limit access by hosts (from=)
>>
>> nothing of the above is linux or BSD specific
>>
>> btw. Software to delay Login Attempts could be tricked.
>>
>>> Personally I find that changing the port to anything other than 22 stops
>>> a lot of the skiddie brute force attacks.  Thats not to say you
>>> shouldn't use something else as well - but it is something.
>>
>> it works for one of my servers too, but is security by obscurity
> 
> It worked for me also but in addition I have started accepting ssh from 
> only known ip's but I always have a server with a known ip that uses an 
> alternative port for ssh that I can access from, lets say an internet 
> cafe or like, and then triangle to the server that I'm really interested 
> in.  Hope that makes some sense.
> 

you can configure ssh to listen on two ports
Port 22
Port 23456

then use pf or other to allow 22 from trusted hosts and the other port 
from anywhere (except maybe networks you don't "like").


if OP was thinking about the "recent" module of iptables, then pf can do 
that:
	http://www.bgnett.no/~peter/pf/en/bruteforce.html


If only few users can ssh, then it's worth creating a specific group and 
only allowing users in this group (AllowGroups).

A google search will show enough stuff to get busy for few days ;-p

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48E9087B.4070903>