Re: sshd brute force attempts?

Dan Mahoney, System Admin wrote:
Hey all,

I've looked around and found several linux-centric things designed to block brute-force SSH attempts. Anyone out there know of something a bit more BSD savvy?

My best attempt will be to get this:

http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html

running and adapt it.

I've found a few things based on openBSD's pf, but that doesn't seem to be the default in BSD either.

Well, this is not really an answer, yet as you bring it up, SecurityFocus had an article last week on this:

http://www.securityfocus.com/infocus/1876

Along with some good advice. First of all: ssh is not a public service like http or smtp where you need anyone to be able to connect. So don't let them in the first place.

Disable direct root login, in the article more than a third attempted to login as root. Disable shell access for service accounts such as mysql, www or ldap.

Use a scheme for choosing usernames that avoids common names like "james" and avoid publishing usernames on web-sites, e-mail may differ from the username.

Disable password based authentication and require ssh-keys if possible, best if you can ensure both pasword and key based authentication.

You may still find sshd login denied entries in your log - so what? it was denied! This is really only a problem if the traffics saturates your connection, or your log files grow so much that you run out of diskspace.

The article also comments on moving ssh to a different port, but this causes confusion and annoyance if you have many users and is non-standard. Doing the other things works great, an ssh-key on a usb-keyring is great.

Personally, I created a script for parsing the delegated files from the different regional registries such as only to allow connection from EU countries.

Since then, I get at most one attempt a week, few enough to manually look up the ip with whois and decide if the host or network should be blocked.

Cheers, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt
Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: SSH login automation, get stuck at the last step.
    ... The ssh server that I am copying the public key to is not a typical ... The user "root" to login this box can not access the ... puts stderr "EXP username requested and sent " ...
    (comp.lang.tcl)
  • SUMMARY: how to set correct path?
    ... ven if we login with ssh. ... For BASH login shell, place the system wide ENV variables, such as PATH, ... You can set Use_login in the sshd_config to yes and restart sshd. ...
    (SunManagers)
  • Re: ssh brute force attacks
    ... What you are most likely seeing are SSH worms on hacked PCs that scan ... -- use a separate username/password for SSH access, ... -- enforce more complex usernames & passwords for all users on the server ... Instead require the user to login as a non-root user first, ...
    (comp.os.linux.misc)
  • Re: Authentication with SSH using public keys
    ... I use ssh to login remotely. ... there looks odd, or different, from other remote hosts I do this on. ... The permissions on the machine where it doesn't work: ...
    (freebsd-questions)
  • Public Authentication Problem on Batch Job using SCP2 when SSH Client Reboot
    ... to a SSH server, HOST2. ... for secure ftp login. ... The login ID is a local user account ... we found that scp2 run failed every time the SSH client ...
    (comp.security.ssh)