Attacks on ssh port

[Darren Pilgrim]

> -----Original Message-----
> From: owner-freebsd-security at freebsd.org 
> [mailto:owner-freebsd-security at freebsd.org] On Behalf Of Antony Mawer
> Sent: Saturday, September 18, 2004 6:51 PM
> To: Chris Ryan
> Cc: Frankye - ML; freebsd-security at freebsd.org
> Subject: Re: Attacks on ssh port
> 
> 
> Chris Ryan wrote:
> > protection - with the appropriate active firewall that
> > blocks their IP address after x failed attempts
> > permanently....
> 
> Has anyone found any good scripts or utilities for automating 
> this kind 
> of thing? I too have been subject to these probings, and my initial 
> thought was to firewall off any address after any number of incorrect 
> attempts.
> 
> While I could write a script to parse the ipfilter logs, I didn't want 
> to go re-inventing the wheel for something which I was sure someone 
> would have already attempted.
> 
> Anyone have any suggestions?

There's three factors: wasted bandwidth, a successful intrusion and log
noise.

Filtering mitigates bandwidth wastage.  But unless you can place the filter
out at the point where the Big Fat Pipe feeds into your comparatively small
pipe (i.e., the ISP's router), it's pointless--the scans will still eat your
bandwidth.  IP Filtering is at best a tertiary security measure.  It should
not replace proper configuration and maintenance, which is what you're
seeking to accomplish.

Check out the DenyUsers sshd_config keyword.  With it OpenSSH will block any
login attempt with an account listed by DenyUsers.  DenyUsers-listed
accounts produce logging sooner (upon receipt of the username, rather than
after four bad passwords) and have different log entries than normal
password failures.  Cutting down the log noise is then a simple matter of
adding a filter to 800.loginfail or whatever else you may be using to read
auth.log.