SSH Brute Force attempts

Oliver Fromme olli at lurza.secnetix.de
Tue Sep 30 08:22:24 UTC 2008 

Rich Healey wrote:
 > Recently I'm getting a lot of brute force attempts on my server, in the
 > past I've used various tips and tricks with linux boxes but many of them
 > were fairly linux specific.
 > 
 > What do you BSD guys use for this purpose?

There's nothing that replaces using either *good* passwords
or *no* passwords at all (i.e. ssh keys instead).

I completely agree with Jeremy Chadwick that using programs
that change your packet filter rules automatically can be
dangerous.  I recommend against this.  Especially it does
not protect you if you have weak passwords.  In fact it
might open a hole that someone can successfully run a DoS
attack against your machine by spoofing one of your own IP
addresses, or the IP address of your upstream router, or
DNS server, or whatever.

If you're merely annoyed about the large amount of logging
entries caused by the break-in attempts, a good solution
is to move the sshd service from the standard port 22 to a
different, non-standard port (e.g. 222 or whatever, but it
should be a "reserved" port, i.e. less than 1024 which is
the default high limit for the reserved port range).  Most
attackers are just "script kiddies" that use automated
software that tries only port 22.  You can put an entry
in ~/.ssh/config on your client machines so you don't even
have to remember to specify the port number when ssh'ing
to your server.

Alternatively you can configure sshd to listen on port 22
*and* an alternate port, and block port 22 for everything
except a few known-good addresses or networks.  That way
you don't have to do anything special when connecting from
any of your usual clients, but you can still connect from
anywhere else if necessary by using the non-standard port.

Of course, the non-standard port trick is *not* a security
measure.  It only makes your machine "a little bit more
invisible" to script kiddies and prevents them from filling
your log files.  It might also give you a very small
advance in case of zero-day attacks.  It does *not* help
against weak passwords or lazyness to patch known holes,
or other kinds of operator failure.

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"What is this talk of 'release'?  We do not make software 'releases'.
Our software 'escapes', leaving a bloody trail of designers and quality
assurance people in its wake."

More information about the freebsd-hackers mailing list