Date: Sun, 12 Nov 2006 22:05:28 -0800 From: "Leo L. Schwab" <ewhac@best.com> To: freebsd-questions@freebsd.org Subject: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong? Message-ID: <20061113060528.GA7646@best.com>
next in thread | raw e-mail | index | archive | help
I recently installed FreeBSD 6.1 on my gateway. It replaced an installation of FreeBSD 4.6.8 (fresh install, not an upgrade) on which I had disabled the SSH server. Since all the bugs in SSH are fixed now ( :-) ), I thought I'd leave the server on, and am somewhat dismayed to discover that I now get occasional brute-force/dictionary attacks on the port. A little Googling revealed a couple of potentially useful tools: 'sshit' and 'bruteblock', both of which notice repeated login attempts from a given IP address and blackhole it in the firewall. I first tried 'sshit', but after a couple days, I noticed in my daily reports that I was still getting lengthy bruteforce attempts, suggesting the 'sshit' was not working. So I uninstalled 'sshit' and installed 'bruteblock'. But again a couple days later, the logs showed lengthy bruteforce attempts going unblocked. The relevant lines from my /etc/syslog.conf file are: ---- auth.info;authpriv.info /var/log/auth.log auth.info;authpriv.info | exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock/ssh.conf ---- Any hints as to what I might be doing wrong? Thanks, Schwab
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061113060528.GA7646>