Re: ssh brute force
From: Anton Butsyk (butsyk_at_mail.etsplus.net)
Date: 07/23/05
- Previous message: Vlad GALU: "Re: irc server"
- In reply to: Michael DeMan: "Re: ssh brute force"
- Next in thread: Daniel Gerzo: "Re[2]: ssh brute force"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 23 Jul 2005 09:40:22 +0300 To: freebsd-isp@freebsd.org
Hi list.
I escape from ssh brute force with pf.
Just for sample:
pass in quick on $ext_if proto tcp from \
any to $ext_if port 22 flags S/SA keep state \
(max 200, source-track rule, max-src-nodes
100, \
max-src-states 3, tcp.first 10, tcp.closing 10)
With pf you can control packets on the interfaces, i love this tool.
Regards,
Anton.
> An easier way to handle this is to simply set up some basic
> configurations for the subnets you will accept SSH from. With pf its
> quite easy via the table structures, and with a little creativity and
> shell scripting, its not that tough to get ipfw or ipfilter to do it
> either.
>
> One more step, just blocking port 22 from 61.0.0.0/8 helps
> tremendously. We got hammered with this stuff a few weeks ago, and
> despite my comments above, trying to fully automate dozens of machines
> is an on-going labor of love for us, and there are many that do not
> have the self-built firewall rules commented as 'protect myself'.
>
>
> Michael F. DeMan
> Director of Technology
> OpenAccess Network Services
> Bellingham, WA 98225
> michael@staff.openaccess.org
> 360-647-0785
> On Jul 21, 2005, at 3:49 AM, Todor Dragnev wrote:
>
>> Thank you.
>>
>> On Thursday 21 July 2005 03:43, Chris Buechler wrote:
>>
>>> On 7/20/05, Chris Jones <cdjones@novusordo.net> wrote:
>>>
>>>> I'm looking at having a script look at SSH's log output for repeated
>>>> failed connection attempts from the same address, and then blocking
>>>> that
>>>> address through pf (I'm not yet sure whether I want to do it
>>>> temporarily
>>>> or permanently).
>>>
>>>
>>> Matt Dillon wrote an app in C to do just that, with ipfw.
>>> http://leaf.dragonflybsd.org/mailarchive/users/2005-03/msg00008.html
>>>
>>> Scott Ullrich modified it to work with pf.
>>> http://pfsense.org/cgi-bin/cvsweb.cgi/tools/sshlockout_pf.c
>>>
>>> -Chris
>>
>> _______________________________________________
>> freebsd-isp@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>>
>
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Vlad GALU: "Re: irc server"
- In reply to: Michael DeMan: "Re: ssh brute force"
- Next in thread: Daniel Gerzo: "Re[2]: ssh brute force"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
