Date: Fri, 09 Oct 2009 22:56:10 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Aflatoon Aflatooni <aaflatooni@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: Security blocking question Message-ID: <4ACFB17A.1080400@infracaninophile.co.uk> In-Reply-To: <526808.11391.qm@web56207.mail.re3.yahoo.com> References: <526808.11391.qm@web56207.mail.re3.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig9C0AEC100DF7D6E170A59B84
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Aflatoon Aflatooni wrote:
> Hi,
> The production server that has a public IP address has SSH enabled. Thi=
s server is continuously under dictionary attack:
> Oct 8 12:58:40 seven sshd[32248]: Invalid user europa from 83.65.199.9=
1
> Oct 8 12:58:40 seven sshd[32250]: Invalid user hacked from 83.65.199.9=
1
> Oct 8 12:58:40 seven sshd[32251]: Invalid user cop\r from 83.65.199.91=
> Oct 8 12:58:41 seven sshd[32254]: Invalid user gel from 83.65.199.91
> Oct 8 12:58:41 seven sshd[32255]: Invalid user dork from 83.65.199.91
> Oct 8 12:58:41 seven sshd[32258]: Invalid user eva from 83.65.199.91
> Oct 8 12:58:41 seven sshd[32260]: Invalid user hacker from 83.65.199.9=
1
> Oct 8 12:58:41 seven sshd[32261]: Invalid user copila\r from 83.65.199=
=2E91
> Oct 8 12:58:42 seven sshd[32265]: Invalid user dorna from 83.65.199.91=
> Oct 8 12:58:42 seven sshd[32264]: Invalid user gelo from 83.65.199.91
> Oct 8 12:58:42 seven sshd[32268]: Invalid user evara from 83.65.199.91=
> Oct 8 12:58:43 seven sshd[32270]: Invalid user hack from 83.65.199.91
> Oct 8 12:58:43 seven sshd[32271]: Invalid user copil\r from 83.65.199.=
91
> Oct 8 12:58:43 seven sshd[32274]: Invalid user Doubled from 83.65.199.=
91
> Oct 8 12:58:43 seven sshd[32275]: Invalid user gelos from 83.65.199.91=
> Oct 8 12:58:44 seven sshd[32278]: Invalid user eve from 83.65.199.91
>=20
> Is there a way that I could configure the server so that if there are f=
or example X attempts from an IP address then for the next Y hours all th=
e SSH requests would be ignored from that IP address?=20
> There are only a handful of people who have access to that server.
Yes.
In pf.conf:
table <ssh-bruteforce> persist
[...]
block drop in log quick on $ext_if from <ssh-bruteforce>
[...]
pass in on $ext_if proto tcp \
from any to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
plus you'll need to add a cron job to clear old entries out of the ssh-br=
uteforce
table after a suitable amount of time has passed. Use expiretable to do
that. Note: in practice I've found that it's a *really good idea* to imp=
lement a=20
SSH whitelist of addresses that will never be bruteforce blocked like thi=
s -- it's=20
very easy to lock yourself out even if everything you're doing is entirel=
y=20
legitimate. Coding that is left as an exercise for the reader.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig9C0AEC100DF7D6E170A59B84
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkrPsYIACgkQ8Mjk52CukIwajwCfZZhDelEGssBatthjiqRP0RkU
h4EAn1FTIKItJr+8oQn9YPzsBdI27hjP
=tsUf
-----END PGP SIGNATURE-----
--------------enig9C0AEC100DF7D6E170A59B84--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ACFB17A.1080400>