DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th September 2008
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Default ssh brute force attacks

Hi everyone!

I have problem everyday with brute force attack to my home fbsd box

dmesg -a looks like:

Code:
Sep 25 13:44:37 fbsd1 sshd[4374]: error: PAM: authentication error for illegal user amelia from e210255180014.ec-userreverse.dion.ne.jp
Sep 25 13:45:36 fbsd1 sshd[4410]: error: PAM: authentication error for illegal user jada from mvx-200-196-50-62.mundivox.com
Sep 25 13:49:09 fbsd1 sshd[4553]: error: PAM: authentication error for illegal user autumn from 81.80.90.88
Sep 25 13:50:05 fbsd1 sshd[4589]: error: PAM: authentication error for illegal user mary from 88-149-158-50.vps.virtuo.it
Sep 25 13:51:17 fbsd1 sshd[4616]: error: PAM: authentication error for illegal user amber from 218.202.106.171
Sep 25 13:52:51 fbsd1 sshd[4673]: error: PAM: authentication error for illegal user danielle from static-71-242-245-111.phlapa.east.verizon.net
Sep 25 13:55:32 fbsd1 sshd[4808]: error: PAM: authentication error for illegal user aidan from 88.146.223.210
Sep 25 13:57:27 fbsd1 sshd[4855]: error: PAM: authentication error for illegal user matthew from static-71-242-245-111.phlapa.east.verizon.net
Sep 25 13:59:16 fbsd1 sshd[4958]: error: PAM: authentication error for illegal user joshua from 200141223099.user.veloxzone.com.br
Sep 25 14:00:08 fbsd1 sshd[5006]: error: PAM: authentication error for illegal user ryan from port668.ds1-oebr.adsl.cybercity.dk
Sep 25 14:01:02 fbsd1 sshd[5033]: error: PAM: authentication error for illegal user michael from 212.91.188.165
Sep 25 14:01:59 fbsd1 sshd[5056]: error: PAM: authentication error for illegal user zachary from 201.161.28.9
Sep 25 14:02:59 fbsd1 sshd[5108]: error: PAM: authentication error for illegal user tyler from 200.2.114.175
Sep 25 14:03:54 fbsd1 sshd[5166]: error: PAM: authentication error for illegal user dylan from 189.34.112.163
Sep 25 14:04:47 fbsd1 sshd[5192]: error: PAM: authentication error for illegal user andrew from 201.2.56.34
Sep 25 14:05:48 fbsd1 sshd[5221]: error: PAM: authentication error for illegal user connor from 211.94.209.19
Sep 25 14:06:41 fbsd1 sshd[5248]: error: PAM: authentication error for illegal user jack from 218.202.106.171
Sep 25 14:07:44 fbsd1 sshd[5293]: error: PAM: authentication error for illegal user christopher from 189.36.160.62
Sep 25 14:09:30 fbsd1 sshd[5378]: error: PAM: authentication error for illegal user alexander from pd907ee1e.dip0.t-ipconnect.de
Sep 25 14:11:22 fbsd1 sshd[5447]: error: PAM: authentication error for illegal user jayden from 201.28.119.60
Sep 25 14:17:15 fbsd1 sshd[5660]: error: PAM: authentication error for illegal user william from 200.58.202.45
Sep 25 14:18:02 fbsd1 sshd[5704]: error: PAM: authentication error for illegal user anthony from 80.246.248.38
Sep 25 14:22:53 fbsd1 sshd[5890]: error: PAM: authentication error for illegal user justin from 202.181.164.115
Sep 25 14:23:49 fbsd1 sshd[5959]: error: PAM: authentication error for illegal user brandon from 148.243.156.138
This box is gateway and don't have any firewall. Please suggest me, which is the best and easy way to prevent this illegal attempt to my box? Maybe snort or something similar ?

All the best,

Sniper
Reply With Quote
  #2   (View Single Post)  
Old 25th September 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Welcome to the Internet

Any system that's online for long periods of times will be a target for these types of automated attacks..

It's impossible to stop them all, you could sit at your system reporting each attacking IP for years and it wouldn't help much.. they're usually exploited systems running large scans against a certain range of addresses.

There are ways to make you look less favourable, i.e: enabling a firewall.. pf is my recommendation, in this case.. only allow connections to port 22 from trusted clients, you might not know the IP of every location you'll be connecting from.. so less annoying method would be running SSH on a different port number, if anything it'll stop 95% of the automated skiddies out there.

Good luck.
Reply With Quote
  #3   (View Single Post)  
Old 25th September 2008
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Default

Thanks for quick replay

So change ssh port is really nice idea because pf is not my friend

Is there any limits which port i choose ?
Reply With Quote
  #4   (View Single Post)  
Old 25th September 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

The port range is an unsigned 16-bit integer, so 2^16-1 = 65535, numbering starts at 0, anything <= 1024 is reserved by root services..

What port should you use? anything that doesn't conflict with another service running on your gateway...

Personally, I think you should learn to get along with pf... it can be a very beneficial friend.
Reply With Quote
  #5   (View Single Post)  
Old 25th September 2008
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Default

OK, good i'll do that.



Quote:
Originally Posted by BSDfan666 View Post
Personally, I think you should learn to get along with pf... it can be a very beneficial friend.

hehe, yes i know that pf is nice powerfull application, but at the moment have alot work with study... but I believe, some day i'll become friend with pf


Have a nice day,

Jurif
Reply With Quote
  #6   (View Single Post)  
Old 25th September 2008
dk_netsvil dk_netsvil is offline
Real Name: Devon
Fdisk Soldier
 
Join Date: May 2008
Location: New York
Posts: 75
Default

You can and maybe should also restrict ssh access from all but a few known IP addresses and certainly limit the users allowed to ssh in. If you do those 2 things as well as changing to a higher, random, port you can greatly cut down on these brute force attempts. You should probably also disable root login and force version 2 while you're at it.

Oh, and in case the point has not yet been impressed, use a really hard password for SSH like H98^f#juW!d@eepL&
Reply With Quote
  #7   (View Single Post)  
Old 25th September 2008
harisman's Avatar
harisman harisman is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Hellas (Greece)
Posts: 66
Default

Just install denyhosts from the ports collection.

Also check the related thread
Reply With Quote
  #8   (View Single Post)  
Old 25th September 2008
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Default

Tnx all a lot !
Reply With Quote
  #9   (View Single Post)  
Old 27th September 2008
chris chris is offline
Port Guard
 
Join Date: May 2008
Location: United Kingdom
Posts: 35
Default

There has been software developed to help stop all kinds of brute force attacks so long as they are logged. Ossec HIDS is one of them, I use it because it bans about 100 infected hosts a day. It must save me a ton of bandwidth.
Reply With Quote
Old 29th September 2008
edhunter's Avatar
edhunter edhunter is offline
Real Name: Georgi Iovchev
Port Guard
 
Join Date: May 2008
Location: Sofia, Bulgaria
Posts: 41
Default

I recently installed from ports sshguard ... it will do a perfect job for such "random" attacks. It reads the system log and adds a firewall rule (it supports ipfw, pf ... etc) blocking the attacking ip. In my case I installed security/sshguard-ipfw. There were almost nothing to config ... it just works )

Last edited by edhunter; 29th September 2008 at 09:28 PM.
Reply With Quote
Old 29th September 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Quote:
Originally Posted by edhunter
I recently installed from ports sshguard
Not to go on a tangent, but I just checked its project page. Supports whitelisting, supports iptables/pf/ipfw/et al., written in C. Not bad.

Maybe if OP tries any of the ports suggestions he'll follow up on this thread.
__________________
Kill your t.v.
Reply With Quote
Old 2nd October 2008
Sunnz's Avatar
Sunnz Sunnz is offline
Real Name: I don't have real time
Just a computer user...
 
Join Date: May 2008
Location: See Google Maps
Posts: 101
Default

Hmm... you should really just use pf. :P

With pf you can specify that if somebody tries to connect to your machine X times in Y seconds, pf will block it from there on.

E.g. with 3 lines of code, I can make it so anyone can connect to my server by default, and allow all outgoing connection:

table <brute> persist
block in
pass in from !<brute> keep state (max-src-conn 50, max-src-conn-rate 50/5, overload <brute> flush global)
pass out

Anyone tries to make a 50 new connection in 5 seconds will be blocked by pf automatically (max-src-conn-rate 50/5), and the same if they make any more than 50 connections at any one time (max-src-conn 50). Of course you will need to adjust these accordingly.

And yea if you just copy and paste those 3 lines into /etc/pf.conf, and turn on pf, it should just works.

Look at http://www.bgnett.no/~peter/pf/en/bruteforce.html for more details.
__________________
She sells C shells by the seashore.

Last edited by Sunnz; 13th June 2009 at 06:06 AM.
Reply With Quote
Old 3rd October 2008
mdh's Avatar
mdh mdh is offline
Real Name: Matt D. Harris
FreeBSD 2.2.6 User
 
Join Date: Oct 2008
Location: West Virginia
Posts: 139
Default

A couple of other things I'd suggest looking into are BruteBlock (/usr/ports/security/bruteblock) and/or Snort (/usr/ports/security/snort and/or /usr/ports/security/snort_inline) to automagically update your kernel's packet filtering when the attacks start coming in. Snort and Snort-inline are very powerful and can help to identify and block much more than just SSH brute-force attacks, too.
Reply With Quote
Old 10th October 2008
chris chris is offline
Port Guard
 
Join Date: May 2008
Location: United Kingdom
Posts: 35
Default

Going off topic a bit here but the amount of free help that people are willing to volunteer their time to give on this forum is pretty inspiring
Reply With Quote
Old 14th May 2009
frijsdijk frijsdijk is offline
Real Name: Frederique Rijsdijk
New User
 
Join Date: May 2009
Location: Netherlands, The Hague
Posts: 2
Default

I see alot of ppl advising ports to combat the ssh brute force attacks. There much more simple ways:

- use /etc/hosts.allow
- if you want to have ssh open for all, use ssh-keys and empty the passwords in your master.passwd (replace hash with '*') - that makes it impossible for anyone to brute force anything, because there are no passwords.
- /etc/ssh/sshd_config gives you some options too: AllowUsers, AllowGroups, also in format like user@192.168.1.1 to allow 'user' to connect only from 192.168.1.1

Cheers!
Reply With Quote
Old 15th May 2009
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Default

Emptying passwords from master.passwords would mean that noone could log in to your box from the console, and would disable use of sudo too. I guess if it is a colo'd box, that wouldn't matter much, but I prefer being able to log in at the console.
A simpler way would be to disable password and keyboard-interactive logins in sshd.conf

It also wouldn't affect the main problem with brute-force login attempts: log file pollution. I've yet to have a brute-forceeteer target a valid login on my boxes!
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
Old 17th May 2009
windependence's Avatar
windependence windependence is offline
Real Name: Tim
Shell Scout
 
Join Date: May 2008
Location: Phoenix, Arizona
Posts: 116
Default

Just MHO but I don't see much less attacks by changing the ssh port. They scan anything that's open and sooner or later they will find it.

If you don't want to dive into pf with both feet, try pfsense. I run all my gateway boxes on it because I have a Windoze admin that needs to change firewall rules every now and then, and it has a web interface that is really nice. If you want to then look at the rules to learn, you can still get a console and take a peek.

I don't run anything other than pf and it has never left me down OR left anyone in without any other tools being loaded.

-Tim
__________________
www.windependence.org
Get your Windependence today!
Reply With Quote
Old 21st May 2009
Mantazz Mantazz is offline
Shell Scout
 
Join Date: Oct 2008
Posts: 90
Default TarPits

I've seen some suggestions before that a TarPit http://labrea.sourceforge.net/labrea-info.html might be a solution worth looking into. The basic idea behind it, as explained to me, is to take the attempted connection and hold it open as long as possible, to slow down the hack attempt. Of course the thinking behind this is that a given host can only attempt a finite number of connections. The TarPits generally attempt to keep the connections open by sending junk data back to the host on the other end at the slowest rate possible, to minimize your own bandwidth consumption.

I haven not tried this yet myself, though I may go for it the next time my system is on the receiving end of a distributed attempt.
Reply With Quote
Old 13th June 2009
Sunnz's Avatar
Sunnz Sunnz is offline
Real Name: I don't have real time
Just a computer user...
 
Join Date: May 2008
Location: See Google Maps
Posts: 101
Default

Quote:
Originally Posted by Mantazz View Post
I've seen some suggestions before that a TarPit http://labrea.sourceforge.net/labrea-info.html might be a solution worth looking into. The basic idea behind it, as explained to me, is to take the attempted connection and hold it open as long as possible, to slow down the hack attempt.
I am trying to do this with pf and altq at the moment, pf basically provides some ways to detect a brute force attempt while altq provides a way to limit the outgoing bandwidth. Not sure how well this works yet as I am not sure how to test it, but if anyone is interested I can post my pf.conf here.
__________________
She sells C shells by the seashore.
Reply With Quote
Old 10th June 2011
unixjingleman unixjingleman is offline
Fdisk Soldier
 
Join Date: Jan 2011
Posts: 70
Default

You should use pf. And also it seems to say here that you can use deny hosts on FreeBSD. This is an application for protecting an ssh daemon that still has password authentication enabled(for some quirky reason, like logging in from an iphone?) . Better still you could just copy your ssh private key onto read-only media and then you could use it with all the hosts you connect from. Sorry if i'm totally off the mark; i didn't read the whole thread i just read the initial question
I hope the malness maelstrom doesn't get you
Reply With Quote
Reply

Tags
bruteforce, ssh

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Torvalds attacks IT industry 'security circus' roddierod Off-Topic 17 6th September 2008 02:03 PM
"Man-in-the-Middle" (MitM) DNS Attacks hunteronline Off-Topic 0 26th August 2008 03:15 PM
pf.conf brute force rule ijk FreeBSD Security 6 11th August 2008 04:54 PM


All times are GMT. The time now is 04:23 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick