From owner-freebsd-questions@FreeBSD.ORG Fri Oct 8 05:37:46 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E79116A4CE for ; Fri, 8 Oct 2004 05:37:46 +0000 (GMT) Received: from dnsmail2.ior.navy.mil (nocb.ior.navy.mil [205.56.210.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8338043D55 for ; Fri, 8 Oct 2004 05:37:42 +0000 (GMT) (envelope-from JohnsoBS@vicksburg.navy.mil) Received: from cg69ubd01.vicksburg.navy.mil ([205.95.65.21]) i985ZTFn029523; Fri, 8 Oct 2004 05:35:33 GMT Received: by CG69UBD01 with Internet Mail Service (5.5.2657.72) id ; Fri, 8 Oct 2004 08:40:35 +0300 Message-ID: From: JohnsoBS@vicksburg.navy.mil To: davemac11@yahoo.com, LukeD@pobox.com Date: Fri, 8 Oct 2004 08:40:30 +0300 X-Mailer: Internet Mail Service (5.5.2657.72) cc: freebsd-questions@freebsd.org Subject: RE: Protecting SSH from brute force attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Oct 2004 05:37:46 -0000 > -----Original Message----- > From: Dave McCammon [mailto:davemac11@yahoo.com] > Sent: Friday, October 08, 2004 4:46 AM > To: LukeD@pobox.com > Cc: freebsd-questions@freebsd.org > Subject: Re: Protecting SSH from brute force attacks > > > > --- Vulpes Velox wrote: > > > On Thu, 7 Oct 2004 15:15:25 -0700 (PDT) > > Luke wrote: > > > > > There are several script kiddies out there hitting > > my SSH server > > > every day. Sometimes they attempt to brute-force > > their way in > > > trying new logins every second or so for hours at > > a time. Given > > > enough time, I fear they will eventually get in. > > > Is there anything I can do to hinder them? > > > > > > I'd like to ban the IP after 50 failed attempts or > > something. I'd > > > heard that each failed attempt from a source was > > supposed to make > > > the daemon respond slower each time, thus limiting > > the usefulness of > > > brute force attacks, but I'm not seeing that > > behavior. > > > > I forget where in /etc it is, but look into setting > > up something that > > allows a certian number of failed logins before > > locking that IP/term > > out for a few minutes.... and if it is constantly > > from the same place > > look into calling their ISP or the like. > > > > Or in a few cases, like I have done in a few cases, > > and a deny from > > any to any for that chunk of the net... > > > > man login.conf for more info :) > > _______________________________________________ > > Following the advice from here: > http://isc.sans.org//diary.php?date=2004-09-11. > > What I did was to only allow access to one machine > through my firewall for the ssh connections (ipfw > limit). 2 per source address. > And, for that one machine, I changed the sshd port to > a different number. > I was getting the same brute force attacks but they > have dropped to nil since. > > I run my public sshd in a jail and close all other ports. I also delete every binary minus the tools needed to ssh into the host and other jails I have setup. I ssh to my jail ip's internally and nat ports as needed from the external. I am pretty secure even if they do gain access to the public sshd, and I think once they do if ever break into that, the box is fairly well still secure. > > > > _______________________________ > Do you Yahoo!? > Declare Yourself - Register online to vote today! > http://vote.yahoo.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >