Date: Tue, 25 Aug 2015 16:29:51 +0300 From: "Reko Turja" <reko.turja@liukuma.net> To: "Jaime Kikpole" <jkikpole@cairodurham.org>, <freebsd-questions@freebsd.org> Subject: Re: Blocking SSH access based on bad logins? Message-ID: <22DC19936F1E477D981FCB31FD51375E@Rivendell> In-Reply-To: <CA%2Bsg5RRppb8-paYnYtL8UMnSfP0ebzUwtM4LLNGayudCwXpyag@mail.gmail.com> References: <CA%2Bsg5RRppb8-paYnYtL8UMnSfP0ebzUwtM4LLNGayudCwXpyag@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----Original Message----- From: Jaime Kikpole Sent: Tuesday, August 25, 2015 4:16 PM To: freebsd-questions@freebsd.org Subject: Blocking SSH access based on bad logins? > I've noticed a number of SSH login attempts for the username "admin" > on my FreeBSD systems. None of them have a username of "admin". So I > was wondering if there was a way (even via a port) to tell the system, > "If an IP tries to login as 'admin', block that IP." > I'm already using SSHGuard to block certain obvious attempts to break > in. I'm fine with altering its configs or adding/switching to a new > port. With pf as your firewall you could do something like this - first, define a table with: table <bad_hosts> persist { } then in filter rules: pass in on $ext_if proto tcp from any to ($ext_if) port $tcp_login flags S/SA keep state (max-src-conn-rate 3/30, overload <bad_hosts> flush global) where 3/30 means how many connections to port are allowed in set timeframe, for me its three in 30 seconds. If that amount is exceeded, then the ip is added to bad_hosts table. Of course, distributed attacks are rarely affected by this rule. IMO switching SSH port is security by obscurity, determined attacker will eventually find the altered port if so inclined. -Reko
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?22DC19936F1E477D981FCB31FD51375E>