Repeated attacks via SSH
Mike Tancsa
mike at sentex.net
Sun Oct 2 17:03:11 PDT 2005
At 06:08 PM 02/10/2005, Don Lewis wrote:
> > practical, everyone limit SSH logins to the minimum possible number
> > of users via the "AllowUsers" directive. We also have a log monitor
> > that watches the logs (/var/log/auth.log in particular) and
> > blackholes hosts that seem to be trying to break in via SSH.
>
>It's also a good idea to only allow public key authentication from
>remote hosts. This avoids the risks of password guessing and password
>capture by shoulder surfers or key loggers.
Couple of other things to add,
deny all access via hosts.allow and only let in those who are
supposed to come in
launch sshd from inetd and then use the rate limiting feature of
inetd (e.g. -C 10) to reject hosts with more than 10 connections
attempts from a single IP per minute
Move to a different port than the default 22 to avoid scanners
use "port knocking" to dynamically allow a remote host to see port 22
(/usr/ports/security/doorman)
Also saw someone post on the openbsd list to use pf to rate limit
(http://groups.google.ca/group/lucky.openbsd.misc/tree/browse_frm/thread/86320212088ec09/42313fa39522f2b7?rnum=1&hl=en&q=openbsd+ssh+crackers+pf+table+ssh&_done=%2Fgroup%2Flucky.openbsd.misc%2Fbrowse_frm%2Fthread%2F86320212088ec09%2F605665a2b79f493b%3Flnk%3Dst%26q%3Dopenbsd+ssh+crackers+pf+table+ssh%26rnum%3D1%26hl%3Den%26#doc_605665a2b79f493b)
--------
table <crackers> persist file "/etc/tables/crackers"
block in quick from <crackers>
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA modulate state \
(max-src-conn 5, max-src-conn-rate 4/60, overload <crackers> flush global)
crontab:
0 * * * * pfctl -t crackers -Tsh > /etc/tables/crackers
--------------
---Mike
More information about the freebsd-security
mailing list