Distributed SSH attack
Xin LI
delphij at delphij.net
Sun Oct 4 08:35:21 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel O'Connor wrote:
> On Sat, 3 Oct 2009, krad wrote:
>> simplest this to do is disable password auth, and use key based.
>
> Your logs are still full of crap though.
>
> I find sshguard works well, and I am fairly sure you couldn't spoof a
> valid TCP connection through pf sanitising so it would be difficult
> (nigh-impossible?) for someone to cause you to block a legit IP.
>
> If you can, changing the port sshd runs on is by far the simplest work
> around. Galling as it is to have to change stuff to work around
> malicious assholes..
Believe it or not, I find this pf.conf rule very effective to mitigate
this type of distributed SSH botnet attack:
block in quick proto tcp from any os "Linux" to any port ssh
Cheers,
- --
Xin LI <delphij at delphij.net> http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)
iEYEARECAAYFAkrIXjsACgkQi+vbBBjt66DjhACeOJTIYbDuvAjIgYDrQ41aJcw8
+lsAoJhoUOoSL1k4Y/n/UDwqZNSUxId2
=wdkL
-----END PGP SIGNATURE-----
More information about the freebsd-hackers
mailing list