Date: Tue, 30 Sep 2008 10:22:22 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-hackers@FreeBSD.ORG, healey.rich@gmail.com Subject: Re: SSH Brute Force attempts Message-ID: <200809300822.m8U8MMXV026149@lurza.secnetix.de> In-Reply-To: <48E16E93.3090601@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Rich Healey wrote: > Recently I'm getting a lot of brute force attempts on my server, in the > past I've used various tips and tricks with linux boxes but many of them > were fairly linux specific. > > What do you BSD guys use for this purpose? There's nothing that replaces using either *good* passwords or *no* passwords at all (i.e. ssh keys instead). I completely agree with Jeremy Chadwick that using programs that change your packet filter rules automatically can be dangerous. I recommend against this. Especially it does not protect you if you have weak passwords. In fact it might open a hole that someone can successfully run a DoS attack against your machine by spoofing one of your own IP addresses, or the IP address of your upstream router, or DNS server, or whatever. If you're merely annoyed about the large amount of logging entries caused by the break-in attempts, a good solution is to move the sshd service from the standard port 22 to a different, non-standard port (e.g. 222 or whatever, but it should be a "reserved" port, i.e. less than 1024 which is the default high limit for the reserved port range). Most attackers are just "script kiddies" that use automated software that tries only port 22. You can put an entry in ~/.ssh/config on your client machines so you don't even have to remember to specify the port number when ssh'ing to your server. Alternatively you can configure sshd to listen on port 22 *and* an alternate port, and block port 22 for everything except a few known-good addresses or networks. That way you don't have to do anything special when connecting from any of your usual clients, but you can still connect from anywhere else if necessary by using the non-standard port. Of course, the non-standard port trick is *not* a security measure. It only makes your machine "a little bit more invisible" to script kiddies and prevents them from filling your log files. It might also give you a very small advance in case of zero-day attacks. It does *not* help against weak passwords or lazyness to patch known holes, or other kinds of operator failure. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "What is this talk of 'release'? We do not make software 'releases'. Our software 'escapes', leaving a bloody trail of designers and quality assurance people in its wake."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809300822.m8U8MMXV026149>