machine hangs on occasion - correlated with ssh break-in attempts

[Dewayne Geraghty]

There are many excellent suggestions on how to deal with invalid/unauthorised access attempts via ssh.  I'd used sshguard for around 8 months but recently changed to bruteblock, both are in the ports/security.  sshguard was very easy to configure, via rc.conf arguments.    Bruteblock handled the same problem more elegantly: uses two processes one for monitoring audit.log, via a pipe and one for maintaining the ipfw table entries, it uses the ipfw table value with the date/time entered, and the C code is cleaner (some optimisations are possible but this is V0.5).  

If you'd like to try it here are the steps I used to get it going:


Install package


Configure /usr/local/etc/bruteblock-ssh.conf (Using regexp
from sample, but modify parameters to suite your environment.)

regexp      =
sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

regexp1     =
sshd.*Failed password for (?:illegal user )?\S+ from
(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

# three failures in 3 minutes is blocked for a day, using ipfw2 table 10max_count   = 3

within_time = 180

reset_ip    = 86400

ipfw2_table_no = 10

 

Insert into "/etc/syslog.conf"

auth.info;authpriv.info |exec /usr/local/sbin/bruteblock –f /usr/local/etc/bruteblock-ssh.conf
Add to firewall rules (and /etc/rc.firewall)ipfw add 4 deny ip from table\(10\) to any
ipfw add 4 deny ip from any to table\(10\) Add into /etc/rc.confbruteblockd_enable="YES"
bruteblockd_table="10"
bruteblockd_flags="-s 7200"  # How frequently to review the ipfw table for entry removal Now restart syslog, and start bruteblockd/etc/rc.d/syslogd restart
/usr/local/etc/rc.d/bruteblockd.sh start



      Win a MacBook Air or iPod touch with Yahoo!7. http://au.docs..yahoo.com/homepageset