DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th July 2012
kallistoteles kallistoteles is offline
New User
 
Join Date: Jun 2010
Posts: 5
Thanked 1 Time in 1 Post
Question massive ssh login attempts

Hi

When I check my authlog it's filled with ssh login attempts, mostly from China and Malaysia. It constantly filles up with failed logins for diffrent random users including root. I think it's around 600/day...

Is this normal for a home server?
It's an OpenBSD 5.1 box, what is your toughts on the best way to protects your server from these massive attacks? Should I block IP adresses with more than 3 attempts for 24 hours?
Reply With Quote
  #2   (View Single Post)  
Old 19th July 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Perfectly normal.

I block 3 attempts in 30 seconds, do not allow root login, and do not allow password authentication.
Reply With Quote
  #3   (View Single Post)  
Old 19th July 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,834
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by kallistoteles View Post
It constantly filles up with failed logins for diffrent random users including root. I think it's around 600/day...
It is most likely a dictionary attack. Someone has assembled a list of "common" account names, & by brute force is determining whether any accounts on your system are so named. If an account is found, it will then attempt to open the account with "common" passwords.

One of the things this sort of act proves is that as a sysadmin, you should ensure that common passwords are being used on your system(s). Dissuading use of common account names isn't such a bad idea either.
Reply With Quote
  #4   (View Single Post)  
Old 19th July 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

Follow the recommendation of jggimi, and also change ssh to listen to a different port.
This will stop almost all these login attempts
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 20th July 2012
kallistoteles kallistoteles is offline
New User
 
Join Date: Jun 2010
Posts: 5
Thanked 1 Time in 1 Post
Thumbs up Thanks!

I already have disabled root logins (by default), so next will be to disable password authentication.
It feels good to know that this is normal, but I feel like an teenager by saying that!
Reply With Quote
  #6   (View Single Post)  
Old 20th July 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

How appropriate you feel that way. These are just script kiddies attacking you.
Reply With Quote
  #7   (View Single Post)  
Old 21st July 2012
kallistoteles kallistoteles is offline
New User
 
Join Date: Jun 2010
Posts: 5
Thanked 1 Time in 1 Post
Smile solution

So the solution also become script running every 10 minutes:
Code:
cat /var/log/authlog | grep "sshd" | grep -i "failed" | rev  | cut -d\  -f 4 | grep '[.]' | rev | sort | uniq -c | awk '{ if ($1 >= 10) print $2}' > /etc/ssh_block
and in pf is checking this file...pf.conf:
Code:
table <ssh_block> persist file "/etc/ssh_block"

block drop in from <ssh_block> to any
The authlog is rotated weekly, so this makes that every ip that makes 10 or more failed ssh logins during a week is blocked.
Reply With Quote
  #8   (View Single Post)  
Old 21st July 2012
denta denta is offline
Fdisk Soldier
 
Join Date: Nov 2009
Posts: 73
Thanked 0 Times in 0 Posts
Default

I suggest dropping that script and using an "overload <ssh_block>" state option in pf.conf. See pf.conf(5) for details, and probably a bunch of other posts here on this forum too. Its a really really good feature to add to your skillset imho.
Reply With Quote
Reply

Tags
ssh login attempts

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mozilla attempts and abandons Firefox 3.6 upgrade J65nko News 1 8th October 2011 01:57 PM
Handling ssh login attempts with pf mayuka OpenBSD Security 17 11th January 2010 04:53 PM
Login automatically map7 FreeBSD General 1 12th October 2008 11:09 PM
How can i login to my FreeBSD ?? ceramic FreeBSD Installation and Upgrading 4 28th July 2008 11:56 AM
How to set up ssh login cssgalactic FreeBSD General 12 28th June 2008 06:00 PM


All times are GMT. The time now is 05:40 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick