On 9/28/05, John Marten <[EMAIL PROTECTED]> wrote:
> Thank you to all who replied. (There were several dozen)
> If I had to name everyone, there would not be room on this page! This
> list is great.
>
> Solution #1) Change the port number in sshd_config to something obscure.
>
> Solution #2) Edit the sshd_config file, and include or create this
> entry: MaxAuthTries 3
> - this forces a disconnect after two unsuccessful tries.
>
> ------------------------------------------------------------------------
> ---------
> Original post): Every day I get some script kiddie, or adult trying to
> guess usernames or passwords.
> I've installed the newest version of SSH, so i'm covered there. But I
> still get a dozen or 2 of the
> "sshd Invalid user somename from ###.##.##.###" "input_userauth_request:
> ivalid user somename"
> "Failed password for invalid user somename" "Recieved disconnect from
> ###.##.##.###"
> Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
> from ###.##.##.### to any flags S/SA'
> entry in my pf.conf file. But if I had do that for every hacker my
> pf.conf would be huge!
> There's got to be a better way, and I'm open to suggestions.
I'm not sure if this is what you are looking for but this is what I
have done to handle dictionary attacks.
pf.conf:
table <crackers> persist file "/etc/tables/crackers"
block in quick from <crackers>
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA modulate state \
(max-src-conn 5, max-src-conn-rate 4/60, overload <crackers> flush global)
crontab:
0 * * * * pfctl -t crackers -Tsh > /etc/tables/crackers
Hope this helps
