chris at vindaloo.com
Thu Dec 21 12:12:06 PST 2006
Oliver Fromme wrote:
[ snip ]
> In general that's not a good idea. If you do it wrong, it
> makes DoS attacks against your machine easier (i.e. a clever
> attacker might be able to lock yourself out of your own
> machine). And getting it right is not easy.
> The best way to prevent brute-forcing is to use good pass-
> words, or -- even better -- don't use passwords at all, but
> key authentication or OTP (SKey / OPIE).
> Another thing that you can do is to move the sshd to a non-
> standard port (i.e. something other than 22). Attackers
> who look for machines for brute-forcing usually scan
> networks for port 22 only. However, note that using a
> non-standard port does _not_ make your machine more secure
> (that would rather be "security by obscurity"). It only
> prevents your machine from appearing in standard ssh scans,
> so it gets rid of almost all of the "ssh login failures"
> in your daily run output which result from such attempts.
First, I want to second Oliver's advice. If it's at all possible switch
to using public keys for authentication with ssh and disallow password
authentication. This completely stops the brute forcing attacks from
filling up your periodic security mail.
Second, and I know that you are using ipfw, I use pf with the following
table <blackhole> persist
## Allow people into the ssh server but if they are just wasting my time
## blackhole them.
block in quick from <blackhole>
pass in on $ext_if proto tcp to $ext_if port 22 flags S/SA keep state \
(max-src-conn-rate 5/60, overload <blackhole> flush global)
This automatically adds addresses to the blackhole table if they try to
initiate connections to ssh at a rate of more than 5 connects per minute.
Oliver's warning applies here also. Using spoofing, someone could force
an arbitrary IP address into the blackhole table and make my life
difficult. Awareness of that hole is an important part of using this
tactic as a part of your security profile.
More information about the freebsd-stable