preventing ssh brute force attacks, swatch and users and table

eculp at encontacto.net eculp at encontacto.net
Tue Apr 24 18:44:13 UTC 2007 

Quoting Dave <dmehler26 at woh.rr.com>:

> Hello,
>    I've got a machine running ssh and i'm trying to cut down on  
> brute force attacks on it. I'm running pf on a freebsd 6.2 box and  
> have added in swatch to try to curve these attacks. The problem is  
> nothing is being added to either the memory hackers table nor the  
> ondisk copy of it. I know i'm getting hits because i'm seeing  
> entries in my auth.log like this:
>
> Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification  
> string from 125.33.163.188
> Apr 21 06:22:55 zeus sshd[10658]: User root from 125.33.163.188 not  
> allowed because none of user's groups are listed in AllowGroups
> Apr 21 06:22:55 zeus sshd[10658]: Failed password for invalid user  
> root from 125.33.163.188 port 54521 ssh2
> Apr 21 06:22:57 zeus sshd[10660]: User root from 125.33.163.188 not  
> allowed because none of user's groups are listed in AllowGroups
> Apr 21 06:22:57 zeus sshd[10660]: Failed password for invalid user  
> root from 125.33.163.188 port 54727 ssh2
> Apr 24 00:52:08 zeus sshd[7746]: Failed password for invalid user  
> root from 218.205.231.39 port 61694 ssh2
> Apr 24 00:52:11 zeus sshd[7749]: User root from 218.205.231.39 not  
> allowed because none of user's groups are listed in AllowGroups
> Apr 24 00:52:11 zeus sshd[7749]: Failed password for invalid user  
> root from 218.205.231.39 port 61773 ssh2
>
> I don't want to move my ssh, i feel these bots would just find it  
> again. I'm also getting postfix atempts i'd like to block them both.  
> My swatch configuration looks like this:
>
> rc.conf
> swatch_enable="YES"
> swatch_rules="1"
> swatch_1_flags="--config-file=/usr/local/etc/swatchrc  
> --tail-file=/var/log/auth.log --daemon --pid-file=/var/run/swatch.pid"
> swatch_1_user="root"
> swatch_1_chdir="/var/tmp"
> swatch_1_pidfile="/var/run/swatch.pid"
>
> In pf i have a block by default policy and i've got these lines:
> table <hackers> persist file "/etc/hackers"
> block all
> block in quick on $ext_if from <hackers> to any
>
> and /usr/local/etc/swatchrc calls a script that looks like:
> #!/bin/sh
> /sbin/pfctl -t hackers -T add $1
> /bin/echo $1 >> /etc/hackers
> /usr/bin/logger swatch: $1 caught with bad login. Added to hackers pf table
>
> If there's a better way that i can get both ssh and smtp bots i'd  
> like to know about it, also if my config is wrong let me know it's  
> not working. One thing, i do not want to unblock atempted hackings,  
> my feeling is those that do it should have no further interactions  
> with my machines on any level.

I'm pretty sure that I don't have a better way, in fact that is why  
I'm posting it ;) but it seems to work.

My rules are basically:

   block drop in quick on $ext_if from <ssh-bruteforce> to any
   block drop in quick on $ext_if from <blocksmtp> to any

   pass in quick on $ext_if inet proto tcp from any to ($ext_if) port  
smtp flags S/SA keep state \
     ( max-src-conn 70, max-src-conn-rate 70/90, overload <blocksmtp>  
flush global )

   pass in quick on $ext_if inet proto tcp from any to ($ext_if) port  
$ssh_services flags S/SA keep state \
     ( max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global )

The connections and rates took me a couple of week to not block legit  
smtp but it seems to be ok for my installation now.

I'm not sure if the quick is good or bad but it was faster ;)

Maybe this will give you another perspective, from someone less knowledgeable.

I also run expiretable to leave the ip's in for 24 hours and I get few  
repeats.  I've thought about not doing that but . . . . .

Good luck,

ed


> Thanks.
> Dave.
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list