Date: Mon, 29 Sep 2008 20:30:33 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Rich Healey <healey.rich@gmail.com> Cc: freebsd-hackers@freebsd.org Subject: Re: SSH Brute Force attempts Message-ID: <20080930033033.GA35849@icarus.home.lan> In-Reply-To: <48E16E93.3090601@gmail.com> References: <48E16E93.3090601@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 30, 2008 at 10:10:59AM +1000, Rich Healey wrote: > Recently I'm getting a lot of brute force attempts on my server, in the > past I've used various tips and tricks with linux boxes but many of them > were fairly linux specific. > > What do you BSD guys use for this purpose? This probably should've gone to -security, correct. There are 3 ports which people often use for solving this: ports/security/blocksshd ports/security/sshblock ports/security/sshguard-(pf|ipfw|ipfilter) The latter depends on which firewalling stack you use, and I believe one of the other two only work with ipfw (I forget which). I have great reservations using any of these, because they dynamically add firewalling rules/tables to your machines based on data in log files. For me, it smells of an accident waiting to happen. I'm an advocate of simply blocking large netblocks where most of these attacks come from (Latin America, eastern Europe, Asia, and Russia). This requires that you appropriately tune things over time, and *be intelligent* about what you're doing. :-) What we use in our pf.conf on our production systems: table <ssh-allow> persist file "/conf/ME/pf.conf.ssh-allow" table <ssh-deny> persist file "/conf/ME/pf.conf.ssh-deny" block in on $ext_if proto tcp from <ssh-deny> to any port ssh pass in on $ext_if proto tcp from <ssh-allow> to any port ssh flags S/SA keep state pf.conf.ssh-deny contains a list of IPs or CIDRs which are to be blocked. I can provide this file if desired. pf.conf.ssh-allow contains a list of IPs or CIDRs which "override" blocks in the previous "block" rule. The reason we have this is due to one Russian user who wasn't able to SSH into our boxes due to the previous block rule. You naturally have to keep pf.conf.ssh-* in sync if you have multiple machines. You can use pfsync(4) to accomplish this task (I think), or you can do it the obvious way (make a central distribution box that scp/rsync's the files out and runs "/etc/rc.d/pf reload"). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080930033033.GA35849>