ssh brute force

Anton Butsyk butsyk at mail.etsplus.net
Sat Jul 23 06:39:57 GMT 2005 

Hi list.

I escape from ssh brute force with pf.
Just for sample:
    pass in quick on $ext_if proto tcp from \
                             any to $ext_if port 22 flags S/SA keep state \
                            (max 200, source-track rule, max-src-nodes 
100, \
                             max-src-states 3, tcp.first 10, tcp.closing 10)
With pf you can control packets on the interfaces, i love this tool.
 
Regards,

Anton.

> An easier way to handle this is to simply set up some basic 
> configurations for the subnets you will accept SSH from.  With pf its 
> quite easy via the table structures, and with a little creativity and 
> shell scripting, its not that tough to get ipfw or ipfilter to do it 
> either.
>
> One more step, just blocking port 22 from 61.0.0.0/8 helps 
> tremendously.  We got hammered with this stuff a few weeks ago, and 
> despite my comments above, trying to fully automate dozens of machines 
> is an on-going labor of love for us, and there are many that do not 
> have the self-built firewall rules commented as 'protect myself'.
>
>
> Michael F. DeMan
> Director of Technology
> OpenAccess Network Services
> Bellingham, WA 98225
> michael at staff.openaccess.org
> 360-647-0785
> On Jul 21, 2005, at 3:49 AM, Todor Dragnev wrote:
>
>> Thank you.
>>
>> On Thursday 21 July 2005 03:43, Chris Buechler wrote:
>>
>>> On 7/20/05, Chris Jones <cdjones at novusordo.net> wrote:
>>>
>>>> I'm looking at having a script look at SSH's log output for repeated
>>>> failed connection attempts from the same address, and then blocking 
>>>> that
>>>> address through pf (I'm not yet sure whether I want to do it 
>>>> temporarily
>>>> or permanently).
>>>
>>>
>>> Matt Dillon wrote an app in C to do just that, with ipfw.
>>> http://leaf.dragonflybsd.org/mailarchive/users/2005-03/msg00008.html
>>>
>>> Scott Ullrich modified it to work with pf.
>>> http://pfsense.org/cgi-bin/cvsweb.cgi/tools/sshlockout_pf.c
>>>
>>> -Chris
>>
>> _______________________________________________
>> freebsd-isp at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>>
>
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"

More information about the freebsd-isp mailing list