Date: Mon, 13 Nov 2006 17:43:13 -0600 From: Damian Wiest <dwiest@vailsys.com> To: freebsd-questions@freebsd.org Subject: Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong? Message-ID: <20061113234313.GR25030@dfwdamian.vail> In-Reply-To: <200611131219.27949.bocha@academ.org> References: <20061113060528.GA7646@best.com> <200611131219.27949.bocha@academ.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 13, 2006 at 12:19:27PM +0600, Bachilo Dmitry wrote: > ? ????????? ?? ??????????? 13 ?????? 2006 12:05 Leo L. Schwab ???????(a): > > I recently installed FreeBSD 6.1 on my gateway. It replaced an > > installation of FreeBSD 4.6.8 (fresh install, not an upgrade) on which I > > had disabled the SSH server. Since all the bugs in SSH are fixed now ( :-) > > ), I thought I'd leave the server on, and am somewhat dismayed to discover > > that I now get occasional brute-force/dictionary attacks on the port. > > > > A little Googling revealed a couple of potentially useful tools: > > 'sshit' and 'bruteblock', both of which notice repeated login attempts from > > a given IP address and blackhole it in the firewall. I first tried > > 'sshit', but after a couple days, I noticed in my daily reports that I was > > still getting lengthy bruteforce attempts, suggesting the 'sshit' was not > > working. > > > > So I uninstalled 'sshit' and installed 'bruteblock'. But again a > > couple days later, the logs showed lengthy bruteforce attempts going > > unblocked. > > > > The relevant lines from my /etc/syslog.conf file are: > > > > ---- > > auth.info;authpriv.info /var/log/auth.log > > auth.info;authpriv.info | exec /usr/local/sbin/bruteblock -f > > /usr/local/etc/bruteblock/ssh.conf ---- > > > > Any hints as to what I might be doing wrong? > > > > Thanks, > > Schwab > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > > Why don't you just relax? :-) All my FreeBSD servers are bruteforced every > second. So what? Now, granted this was with FreeBSD 6.0, but I've had systems panic when they got flooded with FTP attempts. No problem yet with sshd, but I'd deny password based authentication and stick to public key authentication with passphrases. -Damian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061113234313.GR25030>