Blocking a slow-burning SSH bruteforce
vince at unsane.co.uk
Fri Jan 1 17:08:35 UTC 2010
David Rawling wrote:
> On 2/01/2010 2:07 AM, J.D. Bronson wrote:
>> Few options I can think of in random order...I use #1:
>> 1. Run SSH on an obscure port. Seriously, thats one of the easiest
>> things to do. Since I have done that, I have had ZERO attempts and it
>> works perfectly as long as users know the odd port. In fact, I dont
>> know anyone in our IT circle of friends that runs SSH on port 22.
>> 2. Consider controlling/limiting access via 'pf' if your running 'pf'.
>> Of course with your examples coming from all different IPs, thats not
>> likely gonna help much.
>> 3. Just ignore it - they aren't getting in...similar to spammers
>> being rejected by RBLs....its traffic, but cant be a whole lot.
>> 4. Limit login time window too...I run a very narrow window of time
>> to login and a LOW number of attempted logins per session.
> 1 is out because 22 is the one port that most organisations (including
> mine) allow out of their networks for administering routers.
> 2 is unfortunately not an option (as a consultant I do work from many
> 4 - again I might have to log in any time ...
> 3 seems the best approach.
> Thanks for your thoughts, it's good to get second opinions.
A final option is something like port knocking.
(http://www.portknocking.org/) basicly a demon that checks if a specific
packet/sequence has been blocked by the firewall and opens a port if the
conditions are met. I havent actually tried it and it sounds a bit
fiddely to be honest but it should work and theres security/knock in
ports if you want to try it.
More information about the freebsd-questions