>Date: Thu, 30 Jun 2005 11:05:43 +0200
>From: Nico Meijer <[EMAIL PROTECTED]>
>To: Steve Williams <[EMAIL PROTECTED]>
>Cc: [email protected]
>Subject: Re: Blocking many accesses to ssh port from single IP
>
>> I am running OpenBSD 3.7-stable, pretty standard install, spamd
>> greylisting, httpd, sendmail. Going over my log files, I have
>> noticed that I am more and more coming under attach with dictionary
>> based login attempts to the SSH port.
>
>I don't know if this still holds true, but some months ago rogue Linux
>machines were responsible for large scale network probing. It's in the
>archives; please go check.
>
>Short version:
>block in log proto tcp from any os Linux to ($ext_if) port ssh
I've just been looking at this over the last few days. As others
have pointed out, pf[1] is your friend. As a first time pf user,
I'm using the following *very* simple pf.conf file:
# Simple pf.conf file to prevent silly sods playing ssh
# username/password guessing games with us.
# DHD June 2005
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if = "em0"
# Table maintained entirely by pfctl. It's empty to start with, but
# IDS systems etc can add to it.
table <ssh-blacklist> persist
# Normalize all traffic.
scrub in
# This is extremely lenient..
pass in
pass out
# ...but we'll block those playing ssh games with us.
block return-rst in on $ext_if proto tcp from <ssh-blacklist> to port ssh
Then you can add suspect IPs to the blacklist with:
pfctl -t ssh-blacklist -T add {suspect-ip}
and remove them with:
pfctl -t ssh-blacklist -T delete {friendly-ip}
If you want to automate this, have a look at:
http://www.pettingers.org/code/SSHBlack.htm
It's a perl program which tails a log. Have it tail
/var/log/authlog looking for strings such as "Failed password" and
"Invalid user". As written this perl program used iptables commands
to block IPs. But it's trivial to alter it to use the above pfctl
commands.
[1] The book "Absolute OpenBSD" by Michael W Lucas contains a very
useful discussion on pf.
