SSH Brute Force attempts
koitsu at FreeBSD.org
Tue Sep 30 03:30:37 UTC 2008
On Tue, Sep 30, 2008 at 10:10:59AM +1000, Rich Healey wrote:
> Recently I'm getting a lot of brute force attempts on my server, in the
> past I've used various tips and tricks with linux boxes but many of them
> were fairly linux specific.
> What do you BSD guys use for this purpose?
This probably should've gone to -security, correct.
There are 3 ports which people often use for solving this:
The latter depends on which firewalling stack you use, and I believe
one of the other two only work with ipfw (I forget which).
I have great reservations using any of these, because they dynamically
add firewalling rules/tables to your machines based on data in log
files. For me, it smells of an accident waiting to happen.
I'm an advocate of simply blocking large netblocks where most of these
attacks come from (Latin America, eastern Europe, Asia, and Russia).
This requires that you appropriately tune things over time, and *be
intelligent* about what you're doing. :-)
What we use in our pf.conf on our production systems:
table <ssh-allow> persist file "/conf/ME/pf.conf.ssh-allow"
table <ssh-deny> persist file "/conf/ME/pf.conf.ssh-deny"
block in on $ext_if proto tcp from <ssh-deny> to any port ssh
pass in on $ext_if proto tcp from <ssh-allow> to any port ssh flags S/SA keep state
pf.conf.ssh-deny contains a list of IPs or CIDRs which are to be
blocked. I can provide this file if desired.
pf.conf.ssh-allow contains a list of IPs or CIDRs which "override"
blocks in the previous "block" rule. The reason we have this is due to
one Russian user who wasn't able to SSH into our boxes due to the
previous block rule.
You naturally have to keep pf.conf.ssh-* in sync if you have multiple
machines. You can use pfsync(4) to accomplish this task (I think), or
you can do it the obvious way (make a central distribution box that
scp/rsync's the files out and runs "/etc/rc.d/pf reload").
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-hackers