stan wrote:
I;ve got a machien that seems to getting atacked by what appears to be a
simplistic "brute force" attck. it's getting hit multiple ties a second
with bogus root login attempts, my guess is that they are trying dictionary
atacks on the password for root.
Any sugestions as to how to deal with this? Change the port ssh is
listening on maybe?
You have good password right!
So, there is nothing to be concern about!
But if you still do, then turn PF and you can modify it and add to it
this part to be something like this. That's what I use at home for noise
reduction! (:>
But please, don't just cut and paste it, try to understand what it does
and then you can watch your /var/log/bad_ssh grow after you put
=========================
# All the bad guys ssh access to a persistant table at reload
* 1 * * * /sbin/pfctl -T show -t bad_ssh >
/var/log/bad_ssh
in your crontab
========================
# define macros for each network interface
ext_if="fxp0"
tcp_services = "{ 22 }"
udp_services = "{ 53 }"
icmp_types = "echoreq"
# Define some variable for clarity
SSH_LIMIT="(max-src-conn-rate 3/30, overload <bad_ssh> flush global)"
# Table directive
table <bad_ssh> persist file "/var/log/bad_ssh"
table <goodguys> const file "/etc/pf-goodguys.conf"
table <badguys> const file "/etc/pf-badguys.conf"
table <rfc1918> const file "/etc/pf-RFC1918.conf"
table <iana> const file "/etc/pf-IANA.conf"
# options
set block-policy return
set fingerprints "/etc/pf.os"
set loginterface $ext_if
set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set optimization normal
set state-policy if-bound
# scrub incoming packets
scrub all
# setup a default deny policy
block all
# pass traffic on the loopback interface in either direction
pass quick on lo0 all
# Allow quick access to good guys.
pass in quick on $ext_if inet proto { tcp } from { <goodguys> } \
to $ext_if port $tcp_services flags S/SA keep state
# Don't allow Linux hosts to connect to the sshd.
block drop in log quick on $ext_if proto { tcp, udp } \
from any os Linux to any port ssh
# Drop all tcp packets from not assign iana ip blocks, from the reserved
rfc1918
# and also from any pre define bad guys source.
block drop in log quick on $ext_if proto { tcp } \
from { <iana>, <rfc1918>, <badguys> } to any
# Allow valid traffic to ssh but log all tryies as well
block return-rst log quick proto tcp from <bad_ssh> label "ssh-pirate"
pass in log quick on $ext_if inet proto tcp from !<bad_ssh> \
to $ext_if port ssh flags S/SA keep state \
$SSH_LIMIT label "ssh"
# Allow any traffic to pre determine service in macro tcp_services
pass in on $ext_if inet proto tcp from any to $ext_if \
port $tcp_services flags S/SA keep state
# Allow any traffic to pre determine service in macro udp_services
pass in on $ext_if inet proto udp from any to $ext_if \
port $udp_services keep state
# allow all icmp packets defined in icmp_types macro
pass in inet proto icmp all icmp-type $icmp_types keep state
# pass tcp, udp, and icmp out on the external (Internet) interface.
# keep state on udp and icmp and modulate state on tcp.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
