Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?

Damian Wiest dwiest at vailsys.com
Mon Nov 13 23:43:25 UTC 2006


On Mon, Nov 13, 2006 at 12:19:27PM +0600, Bachilo Dmitry wrote:
> ? ????????? ?? ??????????? 13 ?????? 2006 12:05 Leo L. Schwab ???????(a):
> > 	I recently installed FreeBSD 6.1 on my gateway.  It replaced an
> > installation of FreeBSD 4.6.8 (fresh install, not an upgrade) on which I
> > had disabled the SSH server.  Since all the bugs in SSH are fixed now ( :-)
> > ), I thought I'd leave the server on, and am somewhat dismayed to discover
> > that I now get occasional brute-force/dictionary attacks on the port.
> >
> > 	A little Googling revealed a couple of potentially useful tools:
> > 'sshit' and 'bruteblock', both of which notice repeated login attempts from
> > a given IP address and blackhole it in the firewall.  I first tried
> > 'sshit', but after a couple days, I noticed in my daily reports that I was
> > still getting lengthy bruteforce attempts, suggesting the 'sshit' was not
> > working.
> >
> > 	So I uninstalled 'sshit' and installed 'bruteblock'.  But again a
> > couple days later, the logs showed lengthy bruteforce attempts going
> > unblocked.
> >
> > 	The relevant lines from my /etc/syslog.conf file are:
> >
> > ----
> > auth.info;authpriv.info				/var/log/auth.log
> > auth.info;authpriv.info		| exec /usr/local/sbin/bruteblock -f
> > /usr/local/etc/bruteblock/ssh.conf ----
> >
> > 	Any hints as to what I might be doing wrong?
> >
> > 					Thanks,
> > 					Schwab
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe at freebsd.org"
> 
> Why don't you just relax? :-) All my FreeBSD servers are bruteforced every 
> second. So what? 

Now, granted this was with FreeBSD 6.0, but I've had systems panic when 
they got flooded with FTP attempts.  No problem yet with sshd, but I'd 
deny password based authentication and stick to public key 
authentication with passphrases.

-Damian


More information about the freebsd-questions mailing list