|
|||
Welcome to the Internet
Any system that's online for long periods of times will be a target for these types of automated attacks.. It's impossible to stop them all, you could sit at your system reporting each attacking IP for years and it wouldn't help much.. they're usually exploited systems running large scans against a certain range of addresses. There are ways to make you look less favourable, i.e: enabling a firewall.. pf is my recommendation, in this case.. only allow connections to port 22 from trusted clients, you might not know the IP of every location you'll be connecting from.. so less annoying method would be running SSH on a different port number, if anything it'll stop 95% of the automated skiddies out there. Good luck. |
|
|||
The port range is an unsigned 16-bit integer, so 2^16-1 = 65535, numbering starts at 0, anything <= 1024 is reserved by root services..
What port should you use? anything that doesn't conflict with another service running on your gateway... Personally, I think you should learn to get along with pf... it can be a very beneficial friend. |
|
||||
OK, good i'll do that.
Quote:
hehe, yes i know that pf is nice powerfull application, but at the moment have alot work with study... but I believe, some day i'll become friend with pf Have a nice day, Jurif |
|
|||
You can and maybe should also restrict ssh access from all but a few known IP addresses and certainly limit the users allowed to ssh in. If you do those 2 things as well as changing to a higher, random, port you can greatly cut down on these brute force attempts. You should probably also disable root login and force version 2 while you're at it.
Oh, and in case the point has not yet been impressed, use a really hard password for SSH like H98^f#juW!d@eepL& |
|
|||
There has been software developed to help stop all kinds of brute force attacks so long as they are logged. Ossec HIDS is one of them, I use it because it bans about 100 infected hosts a day. It must save me a ton of bandwidth.
|
|
||||
I recently installed from ports sshguard ... it will do a perfect job for such "random" attacks. It reads the system log and adds a firewall rule (it supports ipfw, pf ... etc) blocking the attacking ip. In my case I installed security/sshguard-ipfw. There were almost nothing to config ... it just works )
Last edited by edhunter; 29th September 2008 at 09:28 PM. |
|
||||
Quote:
Maybe if OP tries any of the ports suggestions he'll follow up on this thread.
__________________
Kill your t.v. |
|
||||
Hmm... you should really just use pf. :P
With pf you can specify that if somebody tries to connect to your machine X times in Y seconds, pf will block it from there on. E.g. with 3 lines of code, I can make it so anyone can connect to my server by default, and allow all outgoing connection: table <brute> persist block in pass in from !<brute> keep state (max-src-conn 50, max-src-conn-rate 50/5, overload <brute> flush global) pass out Anyone tries to make a 50 new connection in 5 seconds will be blocked by pf automatically (max-src-conn-rate 50/5), and the same if they make any more than 50 connections at any one time (max-src-conn 50). Of course you will need to adjust these accordingly. And yea if you just copy and paste those 3 lines into /etc/pf.conf, and turn on pf, it should just works. Look at http://www.bgnett.no/~peter/pf/en/bruteforce.html for more details.
__________________
She sells C shells by the seashore. Last edited by Sunnz; 13th June 2009 at 06:06 AM. |
|
||||
A couple of other things I'd suggest looking into are BruteBlock (/usr/ports/security/bruteblock) and/or Snort (/usr/ports/security/snort and/or /usr/ports/security/snort_inline) to automagically update your kernel's packet filtering when the attacks start coming in. Snort and Snort-inline are very powerful and can help to identify and block much more than just SSH brute-force attacks, too.
|
|
|||
Going off topic a bit here but the amount of free help that people are willing to volunteer their time to give on this forum is pretty inspiring
|
|
|||
I see alot of ppl advising ports to combat the ssh brute force attacks. There much more simple ways:
- use /etc/hosts.allow - if you want to have ssh open for all, use ssh-keys and empty the passwords in your master.passwd (replace hash with '*') - that makes it impossible for anyone to brute force anything, because there are no passwords. - /etc/ssh/sshd_config gives you some options too: AllowUsers, AllowGroups, also in format like user@192.168.1.1 to allow 'user' to connect only from 192.168.1.1 Cheers! |
|
||||
Emptying passwords from master.passwords would mean that noone could log in to your box from the console, and would disable use of sudo too. I guess if it is a colo'd box, that wouldn't matter much, but I prefer being able to log in at the console.
A simpler way would be to disable password and keyboard-interactive logins in sshd.conf It also wouldn't affect the main problem with brute-force login attempts: log file pollution. I've yet to have a brute-forceeteer target a valid login on my boxes!
__________________
The only dumb question is a question not asked. The only dumb answer is an answer not given. |
|
||||
Just MHO but I don't see much less attacks by changing the ssh port. They scan anything that's open and sooner or later they will find it.
If you don't want to dive into pf with both feet, try pfsense. I run all my gateway boxes on it because I have a Windoze admin that needs to change firewall rules every now and then, and it has a web interface that is really nice. If you want to then look at the rules to learn, you can still get a console and take a peek. I don't run anything other than pf and it has never left me down OR left anyone in without any other tools being loaded. -Tim |
|
|||
TarPits
I've seen some suggestions before that a TarPit http://labrea.sourceforge.net/labrea-info.html might be a solution worth looking into. The basic idea behind it, as explained to me, is to take the attempted connection and hold it open as long as possible, to slow down the hack attempt. Of course the thinking behind this is that a given host can only attempt a finite number of connections. The TarPits generally attempt to keep the connections open by sending junk data back to the host on the other end at the slowest rate possible, to minimize your own bandwidth consumption.
I haven not tried this yet myself, though I may go for it the next time my system is on the receiving end of a distributed attempt. |
|
||||
Quote:
__________________
She sells C shells by the seashore. |
|
|||
You should use pf. And also it seems to say here that you can use deny hosts on FreeBSD. This is an application for protecting an ssh daemon that still has password authentication enabled(for some quirky reason, like logging in from an iphone?) . Better still you could just copy your ssh private key onto read-only media and then you could use it with all the hosts you connect from. Sorry if i'm totally off the mark; i didn't read the whole thread i just read the initial question
I hope the malness maelstrom doesn't get you |
Tags |
bruteforce, ssh |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Torvalds attacks IT industry 'security circus' | roddierod | Off-Topic | 17 | 6th September 2008 02:03 PM |
"Man-in-the-Middle" (MitM) DNS Attacks | hunteronline | Off-Topic | 0 | 26th August 2008 03:15 PM |
pf.conf brute force rule | ijk | FreeBSD Security | 6 | 11th August 2008 04:54 PM |