Re: Thousands of ssh probes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/03/2010 15:44:39, John wrote:
Maybe I'll have to learn how to do a VPN from FreeBSD....

One thought that occurs to me is that pf tables would provide a
direct API without having to hit a database.

I think I really like this. I may have to implement it for pf.
It should be really easy with CGI and calls to pfctl.

There's already a mechanism whereby you can connect into a PF firewall
and have it open up extra access for you, all controlled by ssh keys.

See: http://www.openbsd.org/faq/pf/authpf.html

Not only that, but you can dynamically block brute force attempts to
crack SSH passwords using just PF -- no need to scan through auth.log or
use an external database. You need something like this in pf.conf:

table <ssh-bruteforce> persist

[...near the top of the rules section...]
block drop in log quick on $ext_if from <ssh-bruteforce>

[...later in the rules section...]
pass in on $ext_if proto tcp \
from any to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)

This adds IPs to the ssh-bruteforce table if there are too frequent
attempts to connect from them (more than 3 within 30 seconds in this
case) and so blocks all further access.

You need to run a cron job to clear out old entries from the
ssh-bruteforce table or it will grow continually over time:

*/12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 86400 >/dev/null 2>&1

Cheers,

Matthew

- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuRKtwACgkQ8Mjk52CukIyodQCfZ42OO6DstB5TFCY49uP0KaZl
Y+wAn3sBhwad03EGKioC7vBhcqE2vHvP
=awJ9
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • pf overload for SMTP (was: Thousands of ssh probes)
    ... direct API without having to hit a database. ... and have it open up extra access for you, all controlled by ssh keys. ... This adds IPs to the ssh-bruteforce table if there are too frequent ... The inherent vice of capitalism is the unequal sharing of blessings; ...
    (freebsd-questions)
  • Re: synchronize sendemail / cyrus / ftp / ssh password
    ... apache2 and ssh. ... I'm looking for a way to store all the passwords for them in _one_ ... database so i can manage them easily by a web interface. ... authentication, but ssh uses PAM. ...
    (Debian-User)
  • Re: Forwarding port 1433 to 22 via intermediary
    ... > Now that I can use my Linux box at work to connect to our MS SQL Server ... > I had administrative privileges on the Linux server in the middle, and SSH ... > the database needs a login. ...
    (Fedora)
  • Re: Security blocking question
    ... example X attempts from an IP address then for the next Y hours all the SSH ... To see what IPs have been added to the ssh-bruteforce table and when and what ... out of cron to expire addresses over a day old from the ssh-bruteforce ... block in quick from <sshBruteForce> to any ...
    (freebsd-questions)
  • Re: Security blocking question
    ... Aflatoon Aflatooni wrote: ... example X attempts from an IP address then for the next Y hours all the SSH requests would be ignored from that IP address? ... To see what IPs have been added to the ssh-bruteforce table and when and what ... out of cron to expire addresses over a day old from the ssh-bruteforce blocklist: ...
    (freebsd-questions)