Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong? (Solved!)
After instrumenting 'bruteblock' (and accidentally causing auth.log to explode), I discovered that the ssh.conf file that ships with it won't work on FreeBSD 6.1 (or at least my copy of it). The shipped regexp looks for "illegal" users. But 'sshd' on FreeBSD 6.1 records login attempts of "invalid" users. The patch appended below got it to work on my system. My thanks to everyone who chimed in with suggestions. They were greatly appreciated. Schwab --- ssh.conf.dist Mon Oct 30 21:17:34 2006 +++ ssh.confWed Nov 15 00:20:29 2006 @@ -6,16 +6,16 @@ # this regexp for the OpenSSH server matches lines like: # # comment: auth via key only -#sshd[72593]: Illegal user hacker from 1.2.3.4 +#sshd[72593]: Invalid user hacker from 1.2.3.4 # # comment: pwd auth, but no such user -#sshd[72593]: Failed password for illegal user sa from 1.2.3.4 +#sshd[72593]: Failed password for invalid user sa from 1.2.3.4 # # comment: correct user, but wrong password #sshd[72626]: Failed password for samm from 1.2.3.4 # -regexp = sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) -regexp1= sshd.*Failed password for (?:illegal user )?\S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) +regexp = sshd.*Invalid user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) +regexp1= sshd.*Failed password for (?:invalid user )?\S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) # Number of failed login attempts within time before we block max_count = 4 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
On Mon, Nov 13, 2006 at 10:10:58AM +0100, Frank Staals wrote: > I had the same 'problem'. As said it's not realy a problem since FreeBSD > will hold just fine if you don't have any rather stupid user + pass > combinations. While FreeBSD and OpenSSH are very good, I'm not prepared to rely solely on that. I'd also prefer that the script kiddies not consume my gaming bandwidth by trying to crack my box, so best to just block them at the firewall and make them go somewhere else. Schwab ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
On Mon, Nov 13, 2006 at 09:16:35PM +0100, Erik Norgaard wrote: > Honestly, I wouldn't worry about it: review your config and make some > simple choices to reduce the noise, see this article: > > http://www.securityfocus.com/infocus/1876 > But I rather thought that was the point of 'bruteblock' -- it reduces the noise by blackholing the offending IPs for an hour or so. This blackholing doesn't appear to be happening, and I don't understand why. Could it be a permission problem -- syslog doesn't have permission to change the firewall rules? Schwab ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
I recently installed FreeBSD 6.1 on my gateway. It replaced an installation of FreeBSD 4.6.8 (fresh install, not an upgrade) on which I had disabled the SSH server. Since all the bugs in SSH are fixed now ( :-) ), I thought I'd leave the server on, and am somewhat dismayed to discover that I now get occasional brute-force/dictionary attacks on the port. A little Googling revealed a couple of potentially useful tools: 'sshit' and 'bruteblock', both of which notice repeated login attempts from a given IP address and blackhole it in the firewall. I first tried 'sshit', but after a couple days, I noticed in my daily reports that I was still getting lengthy bruteforce attempts, suggesting the 'sshit' was not working. So I uninstalled 'sshit' and installed 'bruteblock'. But again a couple days later, the logs showed lengthy bruteforce attempts going unblocked. The relevant lines from my /etc/syslog.conf file are: auth.info;authpriv.info /var/log/auth.log auth.info;authpriv.info | exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock/ssh.conf Any hints as to what I might be doing wrong? Thanks, Schwab ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"