Date: Thu, 26 Apr 2007 08:08:52 -0500 (CDT) From: "Jeremy C. Reed" <reed@reedmedia.net> To: "Chris H." <chris#@1command.com> Cc: freebsd-pf@freebsd.org Subject: Re: preventing ssh brute force attacks, swatch and users and table Message-ID: <Pine.NEB.4.64.0704260802230.23700@glacier.reedmedia.net> In-Reply-To: <20070425012057.upvt9rld28kwk8sg@webmail.1command.com> References: <00b701c7869a$795c0db0$0200a8c0@satellite> <20070425012057.upvt9rld28kwk8sg@webmail.1command.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 25 Apr 2007, Chris H. wrote: > You /may/ want to re-consider this policy. I was plagued with dictionary/ > brute force attempts against a couple of my mail servers. Which spurned > me into concocting some method to ease the burden and ultimately defeat > such attempts. My final solution was a combination of scripts (grep || > sed || awk || uniq || sort ) run out of cron. That parse the maillog > for patterns that match offenders. It works perfectly (over 7,700 IP's). > BUT, you should consider, as I did, that many of the offending IP's are > leased (DHCP) and are only owned/used by the perpetrator for a relatively > short amount time, and then they become available and used by a now > INNOCENT user. Also, there are those who /do/ own/lease the IP's on > a longer term basis that have mis-configured boxen which are effectively > open proxies that are later corrected. So they too are only guilty > by proxy (sorry, I couldn't resist ;)). Anyway, the point I'm attempting > to make here; is that you should probably consider developing an > EXPIRE policy for the offending/accumulating IP list. That way, you'll > be able to DIFF the current against the EXPIRED and gain a more reasonable > understanding /which/ IP's are /always/ going to be offenders vs. those > whom were just short term (for whatever reason). > > Just thought I'd mention it. Since you mentioned "mail" on pf list, you may want to try spamd's similar protection. You can create various spam traps. And they also auto expire. Newer spamd (not in FreeBSD ports yet I think) also has support for a spam trap file that lists hostnames or domain names suffixes -- and if the recipient doesn't match it, then it traps it also. It seems like it would be easy to extend spamd by adding a reverse of that -- have another file that lists the email address recipients that are allowed -- and tarpit any incoming emails that don't match. (On a big mail server with aliases and such it may be difficult to keep this list in sync so maybe it could be made more intelligent, but this is just an idea.) Jeremy C. Reed
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.4.64.0704260802230.23700>