Security blocking question

Matthew Seaman m.seaman at infracaninophile.co.uk
Fri Oct 9 21:56:25 UTC 2009 

Aflatoon Aflatooni wrote:
> Hi,
> The production server that has a public IP address has SSH enabled. This server is continuously under dictionary attack:
> Oct  8 12:58:40 seven sshd[32248]: Invalid user europa from 83.65.199.91
> Oct  8 12:58:40 seven sshd[32250]: Invalid user hacked from 83.65.199.91
> Oct  8 12:58:40 seven sshd[32251]: Invalid user cop\r from 83.65.199.91
> Oct  8 12:58:41 seven sshd[32254]: Invalid user gel from 83.65.199.91
> Oct  8 12:58:41 seven sshd[32255]: Invalid user dork from 83.65.199.91
> Oct  8 12:58:41 seven sshd[32258]: Invalid user eva from 83.65.199.91
> Oct  8 12:58:41 seven sshd[32260]: Invalid user hacker from 83.65.199.91
> Oct  8 12:58:41 seven sshd[32261]: Invalid user copila\r from 83.65.199.91
> Oct  8 12:58:42 seven sshd[32265]: Invalid user dorna from 83.65.199.91
> Oct  8 12:58:42 seven sshd[32264]: Invalid user gelo from 83.65.199.91
> Oct  8 12:58:42 seven sshd[32268]: Invalid user evara from 83.65.199.91
> Oct  8 12:58:43 seven sshd[32270]: Invalid user hack from 83.65.199.91
> Oct  8 12:58:43 seven sshd[32271]: Invalid user copil\r from 83.65.199.91
> Oct  8 12:58:43 seven sshd[32274]: Invalid user Doubled from 83.65.199.91
> Oct  8 12:58:43 seven sshd[32275]: Invalid user gelos from 83.65.199.91
> Oct  8 12:58:44 seven sshd[32278]: Invalid user eve from 83.65.199.91
> 
> Is there a way that I could configure the server so that if there are for example X attempts from an IP address then for the next Y hours all the SSH requests would be ignored from that IP address? 
> There are only a handful of people who have access to that server.

Yes.

In pf.conf:

table <ssh-bruteforce> persist

[...]

block drop in log quick on $ext_if from <ssh-bruteforce>

[...]

pass in on $ext_if proto tcp      \
     from any to $ext_if port ssh \
     flags S/SA keep state        \
     (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)

plus you'll need to add a cron job to clear old entries out of the ssh-bruteforce
table after a suitable amount of time has passed.  Use expiretable to do
that.  Note: in practice I've found that it's a *really good idea* to implement a 
SSH whitelist of addresses that will never be bruteforce blocked like this -- it's 
very easy to lock yourself out even if everything you're doing is entirely 
legitimate.  Coding that is left as an exercise for the reader.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20091009/4c5934c1/signature.pgp

More information about the freebsd-questions mailing list