Block IP

Christopher Hilton chris at
Thu Dec 21 12:12:06 PST 2006

Oliver Fromme wrote:

[ snip ]
> In general that's not a good idea.  If you do it wrong, it
> makes DoS attacks against your machine easier (i.e. a clever
> attacker might be able to lock yourself out of your own
> machine).  And getting it right is not easy.
> The best way to prevent brute-forcing is to use good pass-
> words, or -- even better -- don't use passwords at all, but
> key authentication or OTP (SKey / OPIE).
> Another thing that you can do is to move the sshd to a non-
> standard port (i.e. something other than 22).  Attackers
> who look for machines for brute-forcing usually scan
> networks for port 22 only.  However, note that using a
> non-standard port does _not_ make your machine more secure
> (that would rather be "security by obscurity").  It only
> prevents your machine from appearing in standard ssh scans,
> so it gets rid of almost all of the "ssh login failures"
> in your daily run output which result from such attempts.

First, I want to second Oliver's advice. If it's at all possible switch 
to using public keys for authentication with ssh and disallow password 
authentication. This completely stops the brute forcing attacks from 
filling up your periodic security mail.

Second, and I know that you are using ipfw, I use pf with the following 

table <blackhole> persist

## Allow people into the ssh server but if they are just wasting my time 
## blackhole them.

block in quick from <blackhole>
pass in on $ext_if proto tcp to $ext_if port 22 flags S/SA keep state \
     (max-src-conn-rate 5/60, overload <blackhole> flush global)

This automatically adds addresses to the blackhole table if they try to 
initiate connections to ssh at a rate of more than 5 connects per minute.

Oliver's warning applies here also. Using spoofing, someone could force 
an arbitrary IP address into the blackhole table and make my life 
difficult. Awareness of that hole is an important part of using this 
tactic as a part of your security profile.

-- Chris

More information about the freebsd-stable mailing list