SSH Brute Force attempts
Oliver Fromme
olli at lurza.secnetix.de
Tue Sep 30 14:01:29 UTC 2008
Ollivier Robert <> wrote:
> According to Henrik Hudson:
> > Yeap, -security
> >
> > However, also try this in pf.conf (specific rules related to this; you'll need
> > more for a real pf.conf):
> >
> > table <badguys> { } persist
> > block in quick from <badguys>
> > pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state
> > (max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global)
>
> That one is very effective.
It's especially effective to enable to DoS you.
An attacker simply has to spoof the source address
on SYN packets, which is trivial. :-(
It is marginally better to use one of those tools
that parse the logs for failed ssh logins, and use
that information to block addresses. In order to
abuse that, and attacker would have to spoof a full
TCP connection setup plus initial SSH conversation,
which is far from trivial.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
"Perl will consistently give you what you want,
unless what you want is consistency."
-- Larry Wall
More information about the freebsd-hackers
mailing list