From owner-freebsd-questions@FreeBSD.ORG Wed Sep 20 15:25:03 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2734116A523 for ; Wed, 20 Sep 2006 15:25:03 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id A7E4343D78 for ; Wed, 20 Sep 2006 15:25:01 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [192.168.7.193] (68.Red-80-34-55.staticIP.rima-tde.net [80.34.55.68]) by strange.daemonsecurity.com (Postfix) with ESMTP id 1E7682E02D; Wed, 20 Sep 2006 17:24:59 +0200 (CEST) Message-ID: <45115D3E.5080802@locolomo.org> Date: Wed, 20 Sep 2006 17:24:46 +0200 From: Erik Norgaard User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: Elijah Savage References: <20060919165400.A4380@prime.gushi.org> <70e8236f0609191412p5779d94cqa16df5631f4de916@mail.gmail.com> <4511483C.6080607@reyrey.net> In-Reply-To: <4511483C.6080607@reyrey.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Joao Barros , questions@freebsd.org Subject: Re: sshd brute force attempts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 15:25:03 -0000 Elijah Savage wrote: > Joao Barros wrote: >> I'm using BruteForceBlocker quite successfully. >> I take the opportunity to thank danger for it :-) >> >> http://www.freshports.org/security/bruteforceblocker/ >> > I use /usr/ports/security/denyhost > > It was very easy to install and setup the config file is commented so > well and has so many different parameters. I get reports like this > anytime my thresholds are crossed. Both seem to do the same thing, react to failed attempts by maintaining statistics of offending hosts. But this is a loosing game, it assumes a default permit policy - you might wish to read Ranum's "The Six Dumbest Ideas in Computer Security": http://www.ranum.com/security/computer_security/index.html So, great you block an ip from some offending host - after it stopped. And if the same host comes back then it will likely have a different ip. Nothing gained. Taking the consequences, employ a default deny policy. Then allow what you can trust. 1) As I wrote elsewhere, almost everyone can block out the large part of the Internet. Allow only the countries that you know your users are likely to visit, a filter is here http://www.daemonsecurity.com/pub/src/tools/cc-cidr.pl Ofcourse, this won't be perfect, there are also compromised machines in good countries. When you see the remaining attacks, don't just block the ip but the whole network as registered with whois. whois.cyberabuse.org produces output that can easily be scripted. You can be more restrictive and enforce stronger authentication, and it is very simple to implement: 2) Do you trust any system? Packet filter includes passive OS fingerprinting that allows you to block untrusted systems. Why allow your users to login from depreciated Windows 95/98/ME hosts? 3) Disable shell access, or at least ssh access, for common system users. 4) Enforce strong passwords or switch to ssh-keys. Finally: Relax! Yes, there are some entries in your log, but evidently no one got in, so why care? There are tons of cracking attempts in your apache log files, there are tons of relaying attempts in your maillog. All these attempts consume bandwidth and diskspace as the connection is attempted and logged. But if this does not interrupt your service there is really no need to worry about it. Blocking failed login attempts does not make your system safer - the attempt failed! The log will just be in your firewall log. In the vast majority of cases, these are scripted attacks and are defeated by simple means such as those described above. You will be wasting your time trying to block individual hosts as events occur. Meanwhile other problems do not get your attention, spam is much more difficult to handle and a much greater problem than failed ssh attempts. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9