Question about entry in auth.log

mdh mdh_lists at yahoo.com
Sat Nov 15 10:10:49 PST 2008 

--- On Sat, 11/15/08, Jeremy Chadwick <koitsu at FreeBSD.org> wrote:
> From: Jeremy Chadwick <koitsu at FreeBSD.org>
> Subject: Re: Question about entry in auth.log
> To: "Lisa Casey" <lisa at mail.jellico.com>
> Cc: freebsd-questions at freebsd.org
> Date: Saturday, November 15, 2008, 2:37 AM
> On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote:
> 
> The individual in Romania *was not* able to log in as
> michael.  The
> message you saw was sshd saying "Someone's trying
> to SSH in as user
> michael; SSH key negotiation failed, and now I'm asking
> them to type in
> their password manually".
> 
> It's not a prank.  Shady online individuals have
> written scripts/tools
> that repetitively beat on sshd, trying to find an account
> they can log
> in as.  They're simply scanning for valid accounts, and
> they also often
> try many passwords over and over (common things, such as
> the username as
> a password).
> 
> Welcome to the Internet circa 2008.  :(
> 
> "So how do I solve this problem?"
> 
> The easiest way: change sshd to listen on a port *other*
> than 22.  Many
> people pick 2222.  This relieves 99% of the pain, but
> requires you to
> tell your users/co-workers/peers "My box listens on
> port 2222 for ssh,
> not 22".
> 
> A secondary way: programs which monitor logs and add
> firewall block
> rules when they see too many brute force attempts coming
> from an IP
> address:
> 
> ports/security/blocksshd
> ports/security/sshblock
> ports/security/sshguard
> (I think I forgot one more, but those are the main three)

I've considered writing an sshd patch for OpenSSH to add bad-authentication throttling to it, such that where X number of invalid attempts featuring at least Y different usernames in Z seconds from the same IP causes sshd to ignore that IP outright for a given time.  This would prevent syslog spam and not require any third-party applications.  I've written a socket abstraction library that supports throttling of this sort internally, and it's actually very easy to implement on its own.  Implementing it in OpenSSH may be more or less difficult depending on whether there's any central function that is called *every* time an authentication attempt fails.  

If a few folks respond saying "I'd sure like that patch!", I would likely become more motivated to do so sooner.  

- mdh

More information about the freebsd-questions mailing list