Date: Thu, 21 Jul 2005 04:15:18 -0700 From: Michael DeMan <michael@staff.openaccess.org> To: todor.dragnev@gmail.com Cc: freebsd-isp@freebsd.org, Chris Jones <cdjones@novusordo.net>, Chris Buechler <cbuechler@gmail.com> Subject: Re: ssh brute force Message-ID: <2d7ec17c078ffb523c193d9847113e5d@staff.openaccess.org> In-Reply-To: <200507211349.59772.todor.dragnev@gmail.com> References: <f72a639a050719121244719e22@mail.gmail.com> <42DEAE1F.8000702@novusordo.net> <d64aa176050720174322ebc621@mail.gmail.com> <200507211349.59772.todor.dragnev@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
An easier way to handle this is to simply set up some basic configurations for the subnets you will accept SSH from. With pf its quite easy via the table structures, and with a little creativity and shell scripting, its not that tough to get ipfw or ipfilter to do it either. One more step, just blocking port 22 from 61.0.0.0/8 helps tremendously. We got hammered with this stuff a few weeks ago, and despite my comments above, trying to fully automate dozens of machines is an on-going labor of love for us, and there are many that do not have the self-built firewall rules commented as 'protect myself'. Michael F. DeMan Director of Technology OpenAccess Network Services Bellingham, WA 98225 michael@staff.openaccess.org 360-647-0785 On Jul 21, 2005, at 3:49 AM, Todor Dragnev wrote: > Thank you. > > On Thursday 21 July 2005 03:43, Chris Buechler wrote: >> On 7/20/05, Chris Jones <cdjones@novusordo.net> wrote: >>> I'm looking at having a script look at SSH's log output for repeated >>> failed connection attempts from the same address, and then blocking >>> that >>> address through pf (I'm not yet sure whether I want to do it >>> temporarily >>> or permanently). >> >> Matt Dillon wrote an app in C to do just that, with ipfw. >> http://leaf.dragonflybsd.org/mailarchive/users/2005-03/msg00008.html >> >> Scott Ullrich modified it to work with pf. >> http://pfsense.org/cgi-bin/cvsweb.cgi/tools/sshlockout_pf.c >> >> -Chris > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2d7ec17c078ffb523c193d9847113e5d>