Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
eculp at encontacto.net
eculp at encontacto.net
Mon Nov 13 15:18:31 UTC 2006
Quoting Andy Greenwood <greenwood.andy at gmail.com>:
> On 11/13/06, Gerard Seibert <gerard at seibercom.net> wrote:
>> On Monday November 13, 2006 at 04:10:58 (AM) Frank Staals wrote:
>>
>>
>>> I had the same 'problem'. As said it's not realy a problem since FreeBSD
>>> will hold just fine if you don't have any rather stupid user + pass
>>> combinations. ( test test or something like that ) Allthough I thought
>>> it was annoying that my intire log was clouded with those brute force
>>> attacks so I just set sshd to listen at an other port then 22. Maybe
>>> that's a acceptable solusion for you ? You can change the ssd port in
>>> /etc/ssh/sshd_config
>>
>> Security through obscurity is a bad idea. Rather, use SSH key based
>> authentication exclusively. Turn off all of the password stuff in
>> sshd_config. Laugh at the poor fools trying to break in.
>
> I second this notion. I had bruteforceblocker running and recently
> switched to key based auth only. The good news is no one is breaking
> in. the bad news is that my server is remote and difficult to get
> physical access to and the only key I uploaded initially was my work
> PC. Tried to get in from home over the weekend and found that I had
> locked myself out! doh! Just make sure that you have at least one PC
> you can get to from anywhere which has a key to get into your server.
If you are using pf. A quick google search give you several differing
versions of what I am using on the servers that I maintain.
http://www.google.com.mx/search?hl=es&q=%2Bmax-src-conn-rate+%2Bpf+brute+force&btnG=B%C3%BAsqueda+en+Google&meta=
They are all max-src-conn-rate based and use the sysutils/expiretable
port to clear the blocked IP's.
An example that I haven't read is here:
http://johan.fredin.info/openbsd/block_ssh_bruteforce.html
I just took one and tweaked it over time and it works great.
I only allow 3 login attempts in 30 minutes, so the brute who is
trying to force his way in had better be a very good guesser;)
I did a bit of restricting in sshd_config also but only remember MaxAuthTries,
An unexpected side effect of this is that now I get only one or two
attempts a day and before there were multiple, simultaneous attempts
24 horas a day.
In my daily security report I see something like todays, everyday.
Nov 12 10:22:15 HOME sshd[82578]: Invalid user staff from 203.152.218.209
Nov 12 10:22:22 HOME sshd[83191]: Invalid user sales from 203.152.218.209
Nov 12 10:22:29 HOME sshd[83489]: Invalid user recruit from 203.152.218.209
Nov 12 12:47:10 HOME sshd[18369]: Invalid user staff from 24.11.169.203
Nov 12 12:47:12 HOME sshd[18421]: Invalid user sales from 24.11.169.203
Nov 12 12:47:15 HOME sshd[18425]: Invalid user recruit from 24.11.169.203
Before there were pages and pages. If you aren't using PF there may
be something similar to max-src-conn-rate in your firewall, if not,
you may want to convert ;)
Good luck,
ed
>>
>>
>> --
>> Gerard
>>
>> Mail from '@gmail' is rejected and/or discarded here. Don't waste
>> your time!
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>>
>
>
> --
> I'm nerdy in the extreme and whiter than sour cream
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list