SSH Brute Force attempts

Oliver Fromme olli at lurza.secnetix.de
Tue Sep 30 15:37:42 UTC 2008


Pierre Riteau wrote:
 > Oliver Fromme wrote:
 > > Ollivier Robert wrote:
 > > > According to Henrik Hudson:
 > > > > Yeap, -security
 > > > > 
 > > > > However, also try this in pf.conf (specific rules related to this; you'll need 
 > > > > more for a real pf.conf):
 > > > > 
 > > > > table <badguys> { } persist
 > > > > block in quick from <badguys>
 > > > > pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state 
 > > > > (max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global)
 > > > 
 > > > That one is very effective.
 > > 
 > > It's especially effective to enable to DoS you.
 > > An attacker simply has to spoof the source address
 > > on SYN packets, which is trivial.  :-(
 > 
 > This is not true. pf.conf(5) says:
 > 
 >      For stateful TCP connections, limits on established connections (connec-
 >      tions which have completed the TCP 3-way handshake) can also be enforced
 >      per source IP.

Thanks for the correction.  I prefer IPFW most of the time,
therefore I wasn't aware of this detail.

 >      Because the 3-way handshake ensures that the source address is not being
 >      spoofed, more aggressive action can be taken based on these limits.

s/not being spoofed/more difficult to spoofe/  ;-)

Still, detecting the break-in attempts on application layer
(e.g. auth log file) is better than on TCP layer.

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"It combines all the worst aspects of C and Lisp:  a billion different
sublanguages in one monolithic executable.  It combines the power of C
with the readability of PostScript."
        -- Jamie Zawinski, when asked: "What's wrong with perl?"


More information about the freebsd-hackers mailing list