Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 21 Aug 2008 16:39:32 -0700 (PDT)
From:      Dewayne Geraghty <dewayne_freebsd@yahoo.com>
To:        Rink Springer <rink@freebsd.org>, Brooks Davis <brooks@freebsd.org>
Cc:        Mikhail Teterin <mi+mill@aldan.algebra.com>, Jeremy Chadwick <koitsu@freebsd.org>, freebsd-stable@freebsd.org, freebsd-security@freebsd.org
Subject:   Re: machine hangs on occasion - correlated with ssh break-in attempts
Message-ID:  <446595.9807.qm@web46413.mail.sp1.yahoo.com>
In-Reply-To: <20080821203703.GA47728@lor.one-eyed-alien.net>
index | next in thread | previous in thread | raw e-mail 

There are many excellent suggestions on how to deal with invalid/unauthorised access attempts via ssh.  I'd used sshguard for around 8 months but recently changed to bruteblock, both are in the ports/security.  sshguard was very easy to configure, via rc.conf arguments.    Bruteblock handled the same problem more elegantly: uses two processes one for monitoring audit.log, via a pipe and one for maintaining the ipfw table entries, it uses the ipfw table value with the date/time entered, and the C code is cleaner (some optimisations are possible but this is V0.5).  

If you'd like to try it here are the steps I used to get it going:


Install package


Configure /usr/local/etc/bruteblock-ssh.conf (Using regexp
from sample, but modify parameters to suite your environment.)

regexp      =
sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

regexp1     =
sshd.*Failed password for (?:illegal user )?\S+ from
(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

# three failures in 3 minutes is blocked for a day, using ipfw2 table 10max_count   = 3

within_time = 180

reset_ip    = 86400

ipfw2_table_no = 10

 

Insert into "/etc/syslog.conf"

auth.info;authpriv.info |exec /usr/local/sbin/bruteblock –f /usr/local/etc/bruteblock-ssh.conf
Add to firewall rules (and /etc/rc.firewall)ipfw add 4 deny ip from table\(10\) to any
ipfw add 4 deny ip from any to table\(10\) Add into /etc/rc.confbruteblockd_enable="YES"
bruteblockd_table="10"
bruteblockd_flags="-s 7200"  # How frequently to review the ipfw table for entry removal Now restart syslog, and start bruteblockd/etc/rc.d/syslogd restart
/usr/local/etc/rc.d/bruteblockd.sh start



      Win a MacBook Air or iPod touch with Yahoo!7. http://au.docs..yahoo.com/homepageset
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?446595.9807.qm>