Re: /etc/hosts.deniedssh
On Tue, Jan 19, 2010 at 02:22:03AM +0200, Ed Jobs wrote: On Tuesday 19 January 2010 00:39, David Southwell wrote: Examples from hosts.deniedssh I seem to be on the receiving end of a concerted series of unsuccessful break in attacks on one of our systems. One small part of the attack has resulted in over 2000 entries in our hosts.deniedssh file in less than 1 hour. I would be interested in any comments on the small example shown below and any advice. Thanks in advance David snip 2k entries are too much indeed. Really? wc -l /etc/hosts.deniedssh 12476 /etc/hosts.deniedssh Unless you mean specifically that a couple thousand in an hour is a lot, which I'd agree with, but wouldn't necessarily worry about it. are you running ssh on port 22? if yes, (and your users are ok with it) you can change it to another port. No, don't do that. Instead, consider using public key authentication and disabling password authentication. There are also various settings you can tweak to control the number of unsuccessful login attempts you are prepared to tolerate from an address in a predefined interval. sshd_config(5) will show you the way. Additionally, put all your permitted ssh users in a new group, and set the sshd config option AllowGroups. Better yet, as others have suggested, filter with a firewall - if you use pf, you can leverage your /etc/hosts.deniedssh file by using it to populate a pf table. You will need to configure DenyHosts to not resolve ip addresses, and then you can put these in /etc/pf.conf: table denyhosts persist file /etc/hosts.deniedssh block in log quick on $ext_if from denyhosts to any (Be sure to put these in suitable places. I don't have examples of using ipf or ipfw, but I'm sure they can handle it just as well.) DenyHosts provides a plugin system that allows you to run an arbitrary command upon addition or purging of an address. I use it to reload my pf denyhosts table so I can be reasonably sure that the firewall's opinion of whom to block is congruent with what DenyHosts thinks. A simple `pfctl -t denyhosts -T reload -f /etc/hosts.deniedssh' should be sufficient in either case, but you can get as fancy as you like. or maybe, temporary disable ssh login and use cron to enable it again in some time in the future. I would recommend against this, on the grounds that there may be a real administrative need to connect to the server during this dark period. With no ssh service until cron does its thing, you have no way of getting in, which makes me far more nervous than people knocking at my ssh port... Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
/etc/hosts.deniedssh
Examples from hosts.deniedssh I seem to be on the receiving end of a concerted series of unsuccessful break in attacks on one of our systems. One small part of the attack has resulted in over 2000 entries in our hosts.deniedssh file in less than 1 hour. I would be interested in any comments on the small example shown below and any advice. Thanks in advance David r200-40-132-245.static.adinet.com.uy mail.munisanmiguel.gob.pe port-83-236-241-198.static.qsc.de pd95b50ce.dip0.t-ipconnect.de v32641.1blu.de dubovik.net r200-40-132-245.static.adinet.com.uy mail.munisanmiguel.gob.pe port-83-236-241-198.static.qsc.de pd95b50ce.dip0.t-ipconnect.de v32641.1blu.de dubovik.net r200-40-132-245.static.adinet.com.uy mail.munisanmiguel.gob.pe port-83-236-241-198.static.qsc.de pd95b50ce.dip0.t-ipconnect.de v32641.1blu.de dubovik.net r200-40-132-245.static.adinet.com.uy mail.munisanmiguel.gob.pe port-83-236-241-198.static.qsc.de pd95b50ce.dip0.t-ipconnect.de v32641.1blu.de dubovik.net r200-40-132-245.static.adinet.com.uy mail.munisanmiguel.gob.pe port-83-236-241-198.static.qsc.de pd95b50ce.dip0.t-ipconnect.de v32641.1blu.de dubovik.net r200-40-132-245.static.adinet.com.uy mail.munisanmiguel.gob.pe port-83-236-241-198.static.qsc.de pd95b50ce.dip0.t-ipconnect.de v32641.1blu.de dubovik.net r200-40-132-245.static.adinet.com.uy mail.munisanmiguel.gob.pe port-83-236-241-198.static.qsc.de pd95b50ce.dip0.t-ipconnect.de v32641.1blu.de dubovik.net r200-40-132-245.static.adinet.com.uy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/hosts.deniedssh
On Mon, Jan 18, 2010 at 4:39 PM, David Southwell da...@vizion2000.netwrote: Examples from hosts.deniedssh I seem to be on the receiving end of a concerted series of unsuccessful break in attacks on one of our systems. One small part of the attack has resulted in over 2000 entries in our hosts.deniedssh file in less than 1 hour. I would be interested in any comments on the small example shown below and any advice. Thanks in advance David r200-40-132-245.static.adinet.com.uy mail.munisanmiguel.gob.pe port-83-236-241-198.static.qsc.de pd95b50ce.dip0.t-ipconnect.de v32641.1blu.de dubovik.net r200-40-132-245.static.adinet.com.uy mail.munisanmiguel.gob.pe port-83-236-241-198.static.qsc.de pd95b50ce.dip0.t-ipconnect.de v32641.1blu.de dubovik.net r200-40-132-245.static.adinet.com.uy mail.munisanmiguel.gob.pe port-83-236-241-198.static.qsc.de pd95b50ce.dip0.t-ipconnect.de v32641.1blu.de dubovik.net r200-40-132-245.static.adinet.com.uy mail.munisanmiguel.gob.pe port-83-236-241-198.static.qsc.de pd95b50ce.dip0.t-ipconnect.de v32641.1blu.de dubovik.net r200-40-132-245.static.adinet.com.uy mail.munisanmiguel.gob.pe port-83-236-241-198.static.qsc.de pd95b50ce.dip0.t-ipconnect.de v32641.1blu.de dubovik.net r200-40-132-245.static.adinet.com.uy mail.munisanmiguel.gob.pe port-83-236-241-198.static.qsc.de pd95b50ce.dip0.t-ipconnect.de v32641.1blu.de dubovik.net r200-40-132-245.static.adinet.com.uy mail.munisanmiguel.gob.pe port-83-236-241-198.static.qsc.de pd95b50ce.dip0.t-ipconnect.de v32641.1blu.de dubovik.net r200-40-132-245.static.adinet.com.uy Looks like your conf could use some love. Why are you resolving ip's? Thresholds can be lowered. Are you syncing with remote list? -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/hosts.deniedssh
On Tuesday 19 January 2010 00:39, David Southwell wrote: Examples from hosts.deniedssh I seem to be on the receiving end of a concerted series of unsuccessful break in attacks on one of our systems. One small part of the attack has resulted in over 2000 entries in our hosts.deniedssh file in less than 1 hour. I would be interested in any comments on the small example shown below and any advice. Thanks in advance David snip 2k entries are too much indeed. are you running ssh on port 22? if yes, (and your users are ok with it) you can change it to another port. or maybe, temporary disable ssh login and use cron to enable it again in some time in the future. -- Save the whales. Club a seal instead. signature.asc Description: This is a digitally signed message part.
Re: /etc/hosts.deniedssh
David Southwell wrote: Examples from hosts.deniedssh I seem to be on the receiving end of a concerted series of unsuccessful break in attacks on one of our systems. One small part of the attack has resulted in over 2000 entries in our hosts.deniedssh file in less than 1 hour. I would be interested in any comments on the small example shown below and any advice. 1. see thread from last week denying spam hosts ssh access 2. don't resolve ips 3. do a sort, you'll see that many come from the same network, possibly the same node with a new IP, block entire ranges, blocking individual ip's is futile. 4. consider blocking in your firewall 5. don't worry, unsuccesfull attacks are - well, unsuccesfull BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
