Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 8 Oct 2004 08:40:30 +0300 
From:      JohnsoBS@vicksburg.navy.mil
To:        davemac11@yahoo.com, LukeD@pobox.com
Cc:        freebsd-questions@freebsd.org
Subject:   RE: Protecting SSH from brute force attacks
Message-ID:  <CE2BFBAA80DD874BB737A4E2C53AA44903B0186B@CG69UBD01>

next in thread | raw e-mail | index | archive | help


> -----Original Message-----
> From: Dave McCammon [mailto:davemac11@yahoo.com]
> Sent: Friday, October 08, 2004 4:46 AM
> To: LukeD@pobox.com
> Cc: freebsd-questions@freebsd.org
> Subject: Re: Protecting SSH from brute force attacks
> 
> 
> 
> --- Vulpes Velox <v.velox@vvelox.net> wrote:
> 
> > On Thu, 7 Oct 2004 15:15:25 -0700 (PDT)
> > Luke <luked@pobox.com> wrote:
> > 
> > > There are several script kiddies out there hitting
> > my SSH server
> > > every day.  Sometimes they attempt to brute-force
> > their way in
> > > trying new logins every second or so for hours at
> > a time.  Given
> > > enough time, I fear they will eventually get in.
> > > Is there anything I can do to hinder them?
> > > 
> > > I'd like to ban the IP after 50 failed attempts or
> > something.  I'd
> > > heard that each failed attempt from a source was
> > supposed to make
> > > the daemon respond slower each time, thus limiting
> > the usefulness of
> > > brute force attacks, but I'm not seeing that
> > behavior.
> > 
> > I forget where in /etc it is, but look into setting
> > up something that
> > allows a certian number of failed logins before
> > locking that IP/term
> > out for a few minutes.... and if it is constantly
> > from the same place
> > look into calling their ISP or the like.
> > 
> > Or in a few cases, like I have done in a few cases,
> > and a deny from
> > any to any for that chunk of the net...
> > 
> > man login.conf for more info :)
> > _______________________________________________
> 
> Following the advice from here:
> http://isc.sans.org//diary.php?date=2004-09-11.
> 
> What I did was to only allow access to one machine
> through my firewall for the ssh connections (ipfw
> limit). 2 per source address.
> And, for that one machine, I changed the sshd port to
> a different number. 
> I was getting the same brute force attacks but they
> have dropped to nil since.
> 
> 
I run my public sshd in a jail and close all other ports. I also delete
every binary minus the tools needed to ssh into the host and other jails I
have setup. I ssh to my jail ip's internally and nat ports as needed from
the external. I am pretty secure even if they do gain access to the public
sshd, and I think once they do if ever break into that, the box is fairly
well still secure.

> 
> 
> 		
> _______________________________
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> http://vote.yahoo.com
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe@freebsd.org"
> 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CE2BFBAA80DD874BB737A4E2C53AA44903B0186B>