From owner-freebsd-isp@FreeBSD.ORG Sat Jul 23 06:39:57 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC80416A420 for ; Sat, 23 Jul 2005 06:39:57 +0000 (GMT) (envelope-from butsyk@mail.etsplus.net) Received: from mail.etsplus.net (mail.etsplus.net [193.110.17.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC36B43D48 for ; Sat, 23 Jul 2005 06:39:55 +0000 (GMT) (envelope-from butsyk@mail.etsplus.net) Received: (qmail 48682 invoked by uid 0); 23 Jul 2005 06:39:53 -0000 Received: from unknown (HELO ?10.0.25.118?) (10.0.25.118) by mail.etsplus.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Jul 2005 06:39:53 -0000 Message-ID: <42E1E656.2050903@mail.etsplus.net> Date: Sat, 23 Jul 2005 09:40:22 +0300 From: Anton Butsyk User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-isp@freebsd.org References: <42DEAE1F.8000702@novusordo.net> <200507211349.59772.todor.dragnev@gmail.com> <2d7ec17c078ffb523c193d9847113e5d@staff.openaccess.org> In-Reply-To: <2d7ec17c078ffb523c193d9847113e5d@staff.openaccess.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ssh brute force X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2005 06:39:57 -0000 Hi list. I escape from ssh brute force with pf. Just for sample: pass in quick on $ext_if proto tcp from \ any to $ext_if port 22 flags S/SA keep state \ (max 200, source-track rule, max-src-nodes 100, \ max-src-states 3, tcp.first 10, tcp.closing 10) With pf you can control packets on the interfaces, i love this tool. Regards, Anton. > An easier way to handle this is to simply set up some basic > configurations for the subnets you will accept SSH from. With pf its > quite easy via the table structures, and with a little creativity and > shell scripting, its not that tough to get ipfw or ipfilter to do it > either. > > One more step, just blocking port 22 from 61.0.0.0/8 helps > tremendously. We got hammered with this stuff a few weeks ago, and > despite my comments above, trying to fully automate dozens of machines > is an on-going labor of love for us, and there are many that do not > have the self-built firewall rules commented as 'protect myself'. > > > Michael F. DeMan > Director of Technology > OpenAccess Network Services > Bellingham, WA 98225 > michael@staff.openaccess.org > 360-647-0785 > On Jul 21, 2005, at 3:49 AM, Todor Dragnev wrote: > >> Thank you. >> >> On Thursday 21 July 2005 03:43, Chris Buechler wrote: >> >>> On 7/20/05, Chris Jones wrote: >>> >>>> I'm looking at having a script look at SSH's log output for repeated >>>> failed connection attempts from the same address, and then blocking >>>> that >>>> address through pf (I'm not yet sure whether I want to do it >>>> temporarily >>>> or permanently). >>> >>> >>> Matt Dillon wrote an app in C to do just that, with ipfw. >>> http://leaf.dragonflybsd.org/mailarchive/users/2005-03/msg00008.html >>> >>> Scott Ullrich modified it to work with pf. >>> http://pfsense.org/cgi-bin/cvsweb.cgi/tools/sshlockout_pf.c >>> >>> -Chris >> >> _______________________________________________ >> freebsd-isp@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"