[ previous ] [ next ] [ threads ]
 From:  Ryan Mullins <rmullins at ciscomonkey dot net>
 To:  Frank Richter <richter at mpia dash hd dot mpg dot de>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Block 300 IP's
 Date:  Thu, 18 Dec 2008 06:31:32 -0600
On Dec 18, 2008, at 2:22 AM, Frank Richter wrote:

> Hi,
> is it possible to block 300 IP's easily with Mono?
> Background:
> I want to block the ongoing ssh-brute-force-attempts (300 IP's) to  
> me network. But in Mono
> it's only possible to block networks or single hosts (I will not add  
> 300 rules).
> Is there a way may be hidden to add something like:
> ipfw add deny from x.x.x.x, y.y.y.y, w.w.w.w, v.v.v.v to destination  
> port 22
> Or set an alias and this alias points to 300 IP's
> Best regards
>   Frank Richter
> -- 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

I hit the same problem all the time here in my home network.   
Unfortunately, there's no good way to do this at the m0n0wall level  
that I've found -- someone please correct me if they have found a good  
way to deal with this e.g. 10 minute timer for a firewall rule.  The  
better way to deal with this IMHO is at the host.

Some options for you:
1. Change the default port

Configure SSH daemon to listen on a non-standard port.  Just edit the  
sshd_config file and modify the value for Port, and make sure to  
update your firewall rules for the NAT.  This alone helps out a lot as  
it stops those that are just scanning for SSH servers on their default  
ports, any advanced port scanner will still find it, but it does make  
a difference - this alone dropped most of the attacks on my network by  
about 70%.

2. Disable password authentication - use keyless logins

This will mean that you can only authenticate if you have the correct  
private key.  Make sure you keep an off box copy of these keys!!!  
Especially if you're getting in remotely from a laptop.  If you go  
this route, do NOT use password-less keys, and have your ssh-agent set  
up to not cache between logins.  If you don't and someone steals your  
laptop and logs in, they've basically got the keys to the kingdom at  
that point.  To disable password authentication on the server, change  
the value of PasswordAuthentication to no in your sshd_config.

3. Limit connections

You can also limit the number of SYN (connection establishment)  
packets.  This should be unnoticed by legitimate users, but it will  
delay an attacker that is making repeated connections.  If you wanted  
to limit the rate to 3 per minute and were using port 2000:

iptables -A INPUT -p tcp -dport 2000 -syn -m limit -limit 1/m -limit- 
burst 3 -j ACCEPT
iptables -A INPUT -p tcp -dport 2000 -syn -j DROP

(If you need other firewall commands, let me know.  I'm just looking  
on a local box here that's running iptables. :))

4. Deploy Anti-Brute-Force Tools

sshd_sentry - SSHD Sentry is a Perl script that monitors SSH server  
logs, detects repeated failed login attempts and adds the hosts to a  
black list. http://linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry 
  - I use this one, but mainly because it's perl and I can add  
anything that I think is missing. :)

SSHBan - SSHban is simple daemon designed to ban attackers. Instead of  
scanning SSH logs, SSHBan directly receives data from the logger. 

SSHDFilter -SSHDFilter blocks the frequent brute-force attacks by  
directly reading the SSH daemon logs and generating firewall rules to  
block the attack. The blocking firewall policy is defined by a list of  
block-rules.  http://www.csc.liv.ac.uk/~greg/sshdfilter/

Brute-Force Detection -BFD is a shell script for parsing application  
logs and checking for authentication failures and block the IP address  
using custom firewall rules. http://www.rfxnetworks.com/bfd.php
SSHGuard - Protects networks from brute force attacks against ssh  
servers. It detects such attacks and blocks the hostís address with a  
firewall rule. http://sshguard.sourceforge.net/

And there are plenty more out there to add to that list.

Hope that helps.