Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?

[Frank Staals]

Leo L. Schwab wrote:
> 	I recently installed FreeBSD 6.1 on my gateway.  It replaced an
> installation of FreeBSD 4.6.8 (fresh install, not an upgrade) on which I had
> disabled the SSH server.  Since all the bugs in SSH are fixed now ( :-) ), I
> thought I'd leave the server on, and am somewhat dismayed to discover that I
> now get occasional brute-force/dictionary attacks on the port.
>
> 	A little Googling revealed a couple of potentially useful tools:
> 'sshit' and 'bruteblock', both of which notice repeated login attempts from
> a given IP address and blackhole it in the firewall.  I first tried 'sshit',
> but after a couple days, I noticed in my daily reports that I was still
> getting lengthy bruteforce attempts, suggesting the 'sshit' was not working.
>
> 	So I uninstalled 'sshit' and installed 'bruteblock'.  But again a
> couple days later, the logs showed lengthy bruteforce attempts going
> unblocked.
>
> 	The relevant lines from my /etc/syslog.conf file are:
>
> ----
> auth.info;authpriv.info				/var/log/auth.log
> auth.info;authpriv.info		| exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock/ssh.conf
> ----
>
> 	Any hints as to what I might be doing wrong?
>
> 					Thanks,
> 					Schwab
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
>
>   
I had the same 'problem'. As said it's not realy a problem since FreeBSD 
will hold just fine if you don't have any rather stupid user + pass 
combinations. ( test test or something like that ) Allthough I thought 
it was annoying that my intire log was clouded with those brute force 
attacks so I just set sshd to listen at an other port then 22. Maybe 
that's a acceptable solusion for you ? You can change the ssd port in 
/etc/ssh/sshd_config

Good luck,

-- 
-Frank Staals