Re: Repeated attacks via SSH

At 06:08 PM 02/10/2005, Don Lewis wrote:
> > practical, everyone limit SSH logins to the minimum possible number
> > of users via the "AllowUsers" directive. We also have a log monitor
> > that watches the logs (/var/log/auth.log in particular) and
> > blackholes hosts that seem to be trying to break in via SSH.
>
>It's also a good idea to only allow public key authentication from
>remote hosts.  This avoids the risks of password guessing and password
>capture by shoulder surfers or key loggers.

Couple of other things to add,

deny all access via hosts.allow and only let in those who are 
supposed to come in

launch sshd from inetd and then use the rate limiting feature of 
inetd (e.g. -C 10) to reject hosts with more than 10 connections 
attempts from a single IP per minute

Move to a different port than the default 22 to avoid scanners

use "port knocking" to dynamically allow a remote host to see port 22 
(/usr/ports/security/doorman)

Also saw someone post on the openbsd list to use pf to rate limit 
(http://groups.google.ca/group/lucky.openbsd.misc/tree/browse_frm/thread/86320212088ec09/42313fa39522f2b7?rnum=1&hl=en&q=openbsd+ssh+crackers+pf+table+ssh&_done=%2Fgroup%2Flucky.openbsd.misc%2Fbrowse_frm%2Fthread%2F86320212088ec09%2F605665a2b79f493b%3Flnk%3Dst%26q%3Dopenbsd+ssh+crackers+pf+table+ssh%26rnum%3D1%26hl%3Den%26#doc_605665a2b79f493b)

--------

table <crackers> persist file "/etc/tables/crackers"
block in quick from <crackers>
pass in on $ext_if inet proto tcp from any to ($ext_if) \
    port $tcp_services flags S/SA modulate state \
(max-src-conn 5, max-src-conn-rate 4/60, overload <crackers> flush global)

crontab:

0    *    *    *    *   pfctl -t crackers -Tsh > /etc/tables/crackers
--------------

         ---Mike 

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"