Date: Sat, 23 Jul 2005 09:40:22 +0300 From: Anton Butsyk <butsyk@mail.etsplus.net> To: freebsd-isp@freebsd.org Subject: Re: ssh brute force Message-ID: <42E1E656.2050903@mail.etsplus.net> In-Reply-To: <2d7ec17c078ffb523c193d9847113e5d@staff.openaccess.org> References: <f72a639a050719121244719e22@mail.gmail.com> <42DEAE1F.8000702@novusordo.net> <d64aa176050720174322ebc621@mail.gmail.com> <200507211349.59772.todor.dragnev@gmail.com> <2d7ec17c078ffb523c193d9847113e5d@staff.openaccess.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi list.
I escape from ssh brute force with pf.
Just for sample:
pass in quick on $ext_if proto tcp from \
any to $ext_if port 22 flags S/SA keep state \
(max 200, source-track rule, max-src-nodes
100, \
max-src-states 3, tcp.first 10, tcp.closing 10)
With pf you can control packets on the interfaces, i love this tool.
Regards,
Anton.
> An easier way to handle this is to simply set up some basic
> configurations for the subnets you will accept SSH from. With pf its
> quite easy via the table structures, and with a little creativity and
> shell scripting, its not that tough to get ipfw or ipfilter to do it
> either.
>
> One more step, just blocking port 22 from 61.0.0.0/8 helps
> tremendously. We got hammered with this stuff a few weeks ago, and
> despite my comments above, trying to fully automate dozens of machines
> is an on-going labor of love for us, and there are many that do not
> have the self-built firewall rules commented as 'protect myself'.
>
>
> Michael F. DeMan
> Director of Technology
> OpenAccess Network Services
> Bellingham, WA 98225
> michael@staff.openaccess.org
> 360-647-0785
> On Jul 21, 2005, at 3:49 AM, Todor Dragnev wrote:
>
>> Thank you.
>>
>> On Thursday 21 July 2005 03:43, Chris Buechler wrote:
>>
>>> On 7/20/05, Chris Jones <cdjones@novusordo.net> wrote:
>>>
>>>> I'm looking at having a script look at SSH's log output for repeated
>>>> failed connection attempts from the same address, and then blocking
>>>> that
>>>> address through pf (I'm not yet sure whether I want to do it
>>>> temporarily
>>>> or permanently).
>>>
>>>
>>> Matt Dillon wrote an app in C to do just that, with ipfw.
>>> http://leaf.dragonflybsd.org/mailarchive/users/2005-03/msg00008.html
>>>
>>> Scott Ullrich modified it to work with pf.
>>> http://pfsense.org/cgi-bin/cvsweb.cgi/tools/sshlockout_pf.c
>>>
>>> -Chris
>>
>> _______________________________________________
>> freebsd-isp@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>>
>
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42E1E656.2050903>