Attacks on ssh port
Alex de Kruijff
freebsd at akruijff.dds.nl
Mon Sep 27 08:21:59 PDT 2004
On Sun, Sep 26, 2004 at 11:36:39PM +0200, Willem Jan Withagen wrote:
> David D.W. Downey wrote:
>
> >On Fri, 24 Sep 2004 23:49:09 +0200, Alex de Kruijff
> ><freebsd at akruijff.dds.nl> wrote:
> >
> >
> >>>Then you can still see the attempts (and thus log the IP information
> >>>for contacting the abuse@ for the responsible IP controller) while
> >>>limiting your log sizes.
> >>>
> >>>
> >>This only logs the first tree catches (when the log attribuut is set)
> >>per rule. You may want to set this a little higher like 100.
> >>
> >>
> >>
> >
> >while I agree my example of 3 was low (meant only to instruct) I would
> >say more along the lines of 25. if someone is hitting you 25 times in
> >a row and getting tagged by that rule, you can bet your butt it's not
> >a client of your's.
The way I understand it was that the rule doesn't discriminate on the
basis of IP. It juist counts them all to gether. But I could be wrong
about this.
> >
> It is even simpler:
> Anybody trying to use root as user for ssh-login is not a customer
> of mine....
> And if he has not figured out that he's doing something wrong after
> 3 tries, little chance that he is really just making a mistake.
This is the perspective of sshd. IPFW can't see this and this value is
set for all rules. I use the loggin facility mainly as a debugging tool.
If I want a certain appliction to work that is being blocked by ipfw,
then I flush the rule counters, run the app, check the log file, then
add rules based on my findings and then do it all again until I can run
the app. My fear is that don't catch te rules you want to catch, if you
set this value to low, while with a large(r) value, you still stop the
logging.
--
Alex
Articles based on solutions that I use:
http://www.kruijff.org/alex/FreeBSD/
More information about the freebsd-security
mailing list