From owner-freebsd-stable@FreeBSD.ORG Thu Dec 21 20:12:06 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4383116A5C2 for ; Thu, 21 Dec 2006 20:12:06 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from corellia.vindaloo.com (corellia.vindaloo.com [64.51.148.100]) by mx1.freebsd.org (Postfix) with ESMTP id 1521D13C44C for ; Thu, 21 Dec 2006 20:12:06 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from yavin.vindaloo.com (yavin.vindaloo.com [172.24.144.34]) by corellia.vindaloo.com (Postfix) with ESMTP id F313E5C6B; Thu, 21 Dec 2006 14:45:38 -0500 (EST) Received: from [172.24.145.69] (endor.vindaloo.com [172.24.145.69]) by yavin.vindaloo.com (Postfix) with ESMTP id 8E8A324C4D; Thu, 21 Dec 2006 14:45:38 -0500 (EST) Message-ID: <458AE462.1020100@vindaloo.com> Date: Thu, 21 Dec 2006 14:45:38 -0500 From: Christopher Hilton User-Agent: Thunderbird 1.5.0.8 (Macintosh/20061025) MIME-Version: 1.0 To: freebsd-stable@FreeBSD.ORG, suhailc@gmail.com References: <200612211533.kBLFXLaW090581@lurza.secnetix.de> In-Reply-To: <200612211533.kBLFXLaW090581@lurza.secnetix.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Block IP X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2006 20:12:06 -0000 Oliver Fromme wrote: [ snip ] > In general that's not a good idea. If you do it wrong, it > makes DoS attacks against your machine easier (i.e. a clever > attacker might be able to lock yourself out of your own > machine). And getting it right is not easy. > > The best way to prevent brute-forcing is to use good pass- > words, or -- even better -- don't use passwords at all, but > key authentication or OTP (SKey / OPIE). > > Another thing that you can do is to move the sshd to a non- > standard port (i.e. something other than 22). Attackers > who look for machines for brute-forcing usually scan > networks for port 22 only. However, note that using a > non-standard port does _not_ make your machine more secure > (that would rather be "security by obscurity"). It only > prevents your machine from appearing in standard ssh scans, > so it gets rid of almost all of the "ssh login failures" > in your daily run output which result from such attempts. > > First, I want to second Oliver's advice. If it's at all possible switch to using public keys for authentication with ssh and disallow password authentication. This completely stops the brute forcing attacks from filling up your periodic security mail. Second, and I know that you are using ipfw, I use pf with the following config: table persist ## Allow people into the ssh server but if they are just wasting my time then ## blackhole them. block in quick from pass in on $ext_if proto tcp to $ext_if port 22 flags S/SA keep state \ (max-src-conn-rate 5/60, overload flush global) This automatically adds addresses to the blackhole table if they try to initiate connections to ssh at a rate of more than 5 connects per minute. Oliver's warning applies here also. Using spoofing, someone could force an arbitrary IP address into the blackhole table and make my life difficult. Awareness of that hole is an important part of using this tactic as a part of your security profile. -- Chris