Date: Wed, 25 Apr 2007 01:20:57 -0700 From: "Chris H." <chris#@1command.com> To: freebsd-pf@freebsd.org Subject: Re: preventing ssh brute force attacks, swatch and users and table Message-ID: <20070425012057.upvt9rld28kwk8sg@webmail.1command.com> In-Reply-To: <00b701c7869a$795c0db0$0200a8c0@satellite> References: <00b701c7869a$795c0db0$0200a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Dave <dmehler26@woh.rr.com>: > Hello, > I've got a machine running ssh and i'm trying to cut down on brute > force attacks on it. I'm running pf on a freebsd 6.2 box and have > added in swatch to try to curve these attacks. The problem is nothing > is being added to either the memory hackers table nor the ondisk copy > of it. I know i'm getting hits because i'm seeing entries in my > auth.log like this: > > Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification > string from 125.33.163.188 > Apr 21 06:22:55 zeus sshd[10658]: User root from 125.33.163.188 not > allowed because none of user's groups are listed in AllowGroups > Apr 21 06:22:55 zeus sshd[10658]: Failed password for invalid user > root from 125.33.163.188 port 54521 ssh2 > Apr 21 06:22:57 zeus sshd[10660]: User root from 125.33.163.188 not > allowed because none of user's groups are listed in AllowGroups > Apr 21 06:22:57 zeus sshd[10660]: Failed password for invalid user > root from 125.33.163.188 port 54727 ssh2 > Apr 24 00:52:08 zeus sshd[7746]: Failed password for invalid user > root from 218.205.231.39 port 61694 ssh2 > Apr 24 00:52:11 zeus sshd[7749]: User root from 218.205.231.39 not > allowed because none of user's groups are listed in AllowGroups > Apr 24 00:52:11 zeus sshd[7749]: Failed password for invalid user > root from 218.205.231.39 port 61773 ssh2 > > I don't want to move my ssh, i feel these bots would just find it > again. I'm also getting postfix atempts i'd like to block them both. > My swatch configuration looks like this: > > rc.conf > swatch_enable="YES" > swatch_rules="1" > swatch_1_flags="--config-file=/usr/local/etc/swatchrc > --tail-file=/var/log/auth.log --daemon --pid-file=/var/run/swatch.pid" > swatch_1_user="root" > swatch_1_chdir="/var/tmp" > swatch_1_pidfile="/var/run/swatch.pid" > > In pf i have a block by default policy and i've got these lines: > table <hackers> persist file "/etc/hackers" > block all > block in quick on $ext_if from <hackers> to any > > and /usr/local/etc/swatchrc calls a script that looks like: > #!/bin/sh > /sbin/pfctl -t hackers -T add $1 > /bin/echo $1 >> /etc/hackers > /usr/bin/logger swatch: $1 caught with bad login. Added to hackers pf table > > If there's a better way that i can get both ssh and smtp bots i'd > like to know about it, also if my config is wrong let me know it's > not working. One thing, i do not want to unblock atempted hackings, Greetings, You /may/ want to re-consider this policy. I was plagued with dictionary/ brute force attempts against a couple of my mail servers. Which spurned me into concocting some method to ease the burden and ultimately defeat such attempts. My final solution was a combination of scripts (grep || sed || awk || uniq || sort ) run out of cron. That parse the maillog for patterns that match offenders. It works perfectly (over 7,700 IP's). BUT, you should consider, as I did, that many of the offending IP's are leased (DHCP) and are only owned/used by the perpetrator for a relatively short amount time, and then they become available and used by a now INNOCENT user. Also, there are those who /do/ own/lease the IP's on a longer term basis that have mis-configured boxen which are effectively open proxies that are later corrected. So they too are only guilty by proxy (sorry, I couldn't resist ;)). Anyway, the point I'm attempting to make here; is that you should probably consider developing an EXPIRE policy for the offending/accumulating IP list. That way, you'll be able to DIFF the current against the EXPIRED and gain a more reasonable understanding /which/ IP's are /always/ going to be offenders vs. those whom were just short term (for whatever reason). Just thought I'd mention it. Best wishes. > my feeling is those that do it should have no further interactions > with my machines on any level. > Thanks. > Dave. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- panic: kernel trap (ignored)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070425012057.upvt9rld28kwk8sg>