From owner-freebsd-questions@FreeBSD.ORG Fri Jan 1 15:07:43 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 77F5A106566C for ; Fri, 1 Jan 2010 15:07:43 +0000 (UTC) (envelope-from jd_bronson@sbcglobal.net) Received: from cheyenne.hanadarko.com (75-9-98-151.lightspeed.milwwi.sbcglobal.net [75.9.98.151]) by mx1.freebsd.org (Postfix) with ESMTP id 4539D8FC12 for ; Fri, 1 Jan 2010 15:07:42 +0000 (UTC) Message-ID: <4B3E0FBD.2010605@sbcglobal.net> Date: Fri, 01 Jan 2010 09:07:41 -0600 From: "J.D. Bronson" User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0 MIME-Version: 1.0 CC: "freebsd-questions@FreeBSD. ORG" References: <4B3E0D11.1080101@pdconsec.net> In-Reply-To: <4B3E0D11.1080101@pdconsec.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Blocking a slow-burning SSH bruteforce X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jan 2010 15:07:43 -0000 On 1/1/10 8:56 AM, David Rawling wrote: > I tend to think there's not much I can do about this, but I'll ask anyway. > > I've implemented sshguard to block the normal bruteforce attacks - which > seems to be working reasonably well. > > However now I have the following: > > Jan 1 17:42:52 timeserver sshd[1755]: error: PAM: authentication error > for illegal user but from 190.146.246.36 > Jan 1 17:55:09 timeserver sshd[1788]: error: PAM: authentication error > for illegal user byung from 212.243.41.9 > Jan 1 18:07:38 timeserver sshd[1809]: error: PAM: authentication error > for illegal user cac from 148.233.140.193 > Jan 1 18:20:06 timeserver sshd[1832]: error: PAM: authentication error > for illegal user cachou from 121.52.215.180 > Jan 1 18:32:21 timeserver sshd[1851]: error: PAM: authentication error > for illegal user calla from 212.243.41.9 > Jan 1 18:44:35 timeserver sshd[1884]: error: PAM: authentication error > for illegal user calube from 83.211.160.211 > Jan 1 19:09:12 timeserver sshd[1923]: error: PAM: authentication error > for illegal user cancy from 194.51.12.238 > Jan 1 19:21:35 timeserver sshd[1946]: error: PAM: authentication error > for illegal user candice from 82.106.226.77 > Jan 1 19:46:12 timeserver sshd[1997]: error: PAM: authentication error > for illegal user candyw from 116.55.226.131 > > Now this seems to me to be a dictionary attack on timeserver, and I'd > guess that it's a botnet behind it. It's rather sophisticated since it's > only attempting 1 user and password combination per source - so it's far > too little to trigger the sshguard rules. Even if it did trigger, it > wouldn't prevent the attacks. > > Apart from switching away from user authentication to private/public > keys ... is there anything I can do to mitigate these attacks? Any > advice welcome. > > Dave. > > -- Few options I can think of in random order...I use #1: 1. Run SSH on an obscure port. Seriously, thats one of the easiest things to do. Since I have done that, I have had ZERO attempts and it works perfectly as long as users know the odd port. In fact, I dont know anyone in our IT circle of friends that runs SSH on port 22. 2. Consider controlling/limiting access via 'pf' if your running 'pf'. Of course with your examples coming from all different IPs, thats not likely gonna help much. 3. Just ignore it - they aren't getting in...similar to spammers being rejected by RBLs....its traffic, but cant be a whole lot. 4. Limit login time window too...I run a very narrow window of time to login and a LOW number of attempted logins per session. -JD