Blocking SSH access based on bad logins?
Reko Turja
reko.turja at liukuma.net
Tue Aug 25 13:30:03 UTC 2015
-----Original Message-----
From: Jaime Kikpole
Sent: Tuesday, August 25, 2015 4:16 PM
To: freebsd-questions at freebsd.org
Subject: Blocking SSH access based on bad logins?
> I've noticed a number of SSH login attempts for the username "admin"
> on my FreeBSD systems. None of them have a username of "admin". So I
> was wondering if there was a way (even via a port) to tell the system,
> "If an IP tries to login as 'admin', block that IP."
> I'm already using SSHGuard to block certain obvious attempts to break
> in. I'm fine with altering its configs or adding/switching to a new
> port.
With pf as your firewall you could do something like this -
first, define a table with:
table <bad_hosts> persist { }
then in filter rules:
pass in on $ext_if proto tcp from any to ($ext_if) port $tcp_login flags
S/SA keep state (max-src-conn-rate 3/30, overload <bad_hosts> flush global)
where 3/30 means how many connections to port are allowed in set timeframe,
for me its three in 30 seconds. If that amount is exceeded, then the ip is
added to bad_hosts table. Of course, distributed attacks are rarely affected
by this rule.
IMO switching SSH port is security by obscurity, determined attacker will
eventually find the altered port if so inclined.
-Reko
More information about the freebsd-questions
mailing list