ssh brute force
Michael DeMan
michael at staff.openaccess.org
Thu Jul 21 11:15:25 GMT 2005
An easier way to handle this is to simply set up some basic
configurations for the subnets you will accept SSH from. With pf its
quite easy via the table structures, and with a little creativity and
shell scripting, its not that tough to get ipfw or ipfilter to do it
either.
One more step, just blocking port 22 from 61.0.0.0/8 helps
tremendously. We got hammered with this stuff a few weeks ago, and
despite my comments above, trying to fully automate dozens of machines
is an on-going labor of love for us, and there are many that do not
have the self-built firewall rules commented as 'protect myself'.
Michael F. DeMan
Director of Technology
OpenAccess Network Services
Bellingham, WA 98225
michael at staff.openaccess.org
360-647-0785
On Jul 21, 2005, at 3:49 AM, Todor Dragnev wrote:
> Thank you.
>
> On Thursday 21 July 2005 03:43, Chris Buechler wrote:
>> On 7/20/05, Chris Jones <cdjones at novusordo.net> wrote:
>>> I'm looking at having a script look at SSH's log output for repeated
>>> failed connection attempts from the same address, and then blocking
>>> that
>>> address through pf (I'm not yet sure whether I want to do it
>>> temporarily
>>> or permanently).
>>
>> Matt Dillon wrote an app in C to do just that, with ipfw.
>> http://leaf.dragonflybsd.org/mailarchive/users/2005-03/msg00008.html
>>
>> Scott Ullrich modified it to work with pf.
>> http://pfsense.org/cgi-bin/cvsweb.cgi/tools/sshlockout_pf.c
>>
>> -Chris
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>
More information about the freebsd-isp
mailing list