View Single Post
Old 10th January 2010
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,544

In the beginning of I refer to a discussion on the FreeBSD mailing list. IIRC somebody posted a perl program to do something with the IP addresses of those SSH hammerers.

Some time ago I read an analysis of these SSH probes. There are two stages. In stage one, bots scans network blocks for open SSH ports 22. Then after distributing the addresses found, bots are starting to do these ssh login probes in the second stage.

So simply moving your incoming SSH LISTEN port to something else than the default port 22, will usually save you from being probed in stage two.

Previously a single bot, and thus a single IP address, probed several login names and passwords in a row. So in the past you could block multiple failed connection attempts from a single IP address.

Nowadays a couple of coordinated bots each probe a single name/password . So now each individual probe use a different IP address.

And because you don't want to automatically blacklist an IP address because of one failed login attempt, dealing with these idiots has becoming more challenging.
How would you like it if gmail would block you for one single mistyped password?

My tips:
  • move incoming ssh to a different port
  • Use public key authorization
  • If you cannot use publick keys, use non-English login names.
    I have never seen logs where these bots use names like 'Guillaume , Didier, Dieter, Jan-Peter, Wouter, Isidoor, Henk or Sven.
  • Or for more complexity add underscores "_" , numbers or dashes '-' to the names.
    If these bots cannot guess the right names, they already stand no chance.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote