There are many excellent suggestions on how to deal with invalid/unauthorised
access attempts via ssh. I'd used sshguard for around 8 months but recently
changed to bruteblock, both are in the ports/security. sshguard was very easy
to configure, via rc.conf arguments. Bruteblock handled the same problem
more elegantly: uses two processes one for monitoring audit.log, via a pipe and
one for maintaining the ipfw table entries, it uses the ipfw table value with
the date/time entered, and the C code is cleaner (some optimisations are
possible but this is V0.5).
If you'd like to try it here are the steps I used to get it going:
Install package
Configure /usr/local/etc/bruteblock-ssh.conf (Using regexp
from sample, but modify parameters to suite your environment.)
regexp =
sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
regexp1 =
sshd.*Failed password for (?:illegal user )?\S+ from
(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
# three failures in 3 minutes is blocked for a day, using ipfw2 table
10max_count = 3
within_time = 180
reset_ip = 86400
ipfw2_table_no = 10
Insert into "/etc/syslog.conf"
auth.info;authpriv.info |exec /usr/local/sbin/bruteblock –f
/usr/local/etc/bruteblock-ssh.conf
Add to firewall rules (and /etc/rc.firewall)ipfw add 4 deny ip from table\(10\)
to any
ipfw add 4 deny ip from any to table\(10\) Add into
/etc/rc.confbruteblockd_enable="YES"
bruteblockd_table="10"
bruteblockd_flags="-s 7200" # How frequently to review the ipfw table for
entry removal Now restart syslog, and start bruteblockd/etc/rc.d/syslogd restart
/usr/local/etc/rc.d/bruteblockd.sh start
Win a MacBook Air or iPod touch with Yahoo!7.
http://au.docs..yahoo.com/homepageset
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
