On Dec 18, 2008, at 2:22 AM, Frank Richter wrote:
> is it possible to block 300 IP's easily with Mono?
> I want to block the ongoing ssh-brute-force-attempts (300 IP's) to
> me network. But in Mono
> it's only possible to block networks or single hosts (I will not add
> 300 rules).
> Is there a way may be hidden to add something like:
> ipfw add deny from x.x.x.x, y.y.y.y, w.w.w.w, v.v.v.v to destination
> port 22
> Or set an alias and this alias points to 300 IP's
> Best regards
> Frank Richter
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
I hit the same problem all the time here in my home network.
Unfortunately, there's no good way to do this at the m0n0wall level
that I've found -- someone please correct me if they have found a good
way to deal with this e.g. 10 minute timer for a firewall rule. The
better way to deal with this IMHO is at the host.
Some options for you:
1. Change the default port
Configure SSH daemon to listen on a non-standard port. Just edit the
sshd_config file and modify the value for Port, and make sure to
update your firewall rules for the NAT. This alone helps out a lot as
it stops those that are just scanning for SSH servers on their default
ports, any advanced port scanner will still find it, but it does make
a difference - this alone dropped most of the attacks on my network by
2. Disable password authentication - use keyless logins
This will mean that you can only authenticate if you have the correct
private key. Make sure you keep an off box copy of these keys!!!
Especially if you're getting in remotely from a laptop. If you go
this route, do NOT use password-less keys, and have your ssh-agent set
up to not cache between logins. If you don't and someone steals your
laptop and logs in, they've basically got the keys to the kingdom at
that point. To disable password authentication on the server, change
the value of PasswordAuthentication to no in your sshd_config.
3. Limit connections
You can also limit the number of SYN (connection establishment)
packets. This should be unnoticed by legitimate users, but it will
delay an attacker that is making repeated connections. If you wanted
to limit the rate to 3 per minute and were using port 2000:
iptables -A INPUT -p tcp -dport 2000 -syn -m limit -limit 1/m -limit-
burst 3 -j ACCEPT
iptables -A INPUT -p tcp -dport 2000 -syn -j DROP
(If you need other firewall commands, let me know. I'm just looking
on a local box here that's running iptables. :))
4. Deploy Anti-Brute-Force Tools
sshd_sentry - SSHD Sentry is a Perl script that monitors SSH server
logs, detects repeated failed login attempts and adds the hosts to a
black list. http://linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry
- I use this one, but mainly because it's perl and I can add
anything that I think is missing. :)
SSHBan - SSHban is simple daemon designed to ban attackers. Instead of
scanning SSH logs, SSHBan directly receives data from the logger.
SSHDFilter -SSHDFilter blocks the frequent brute-force attacks by
directly reading the SSH daemon logs and generating firewall rules to
block the attack. The blocking firewall policy is defined by a list of
Brute-Force Detection -BFD is a shell script for parsing application
logs and checking for authentication failures and block the IP address
using custom firewall rules. http://www.rfxnetworks.com/bfd.php
SSHGuard - Protects networks from brute force attacks against ssh
servers. It detects such attacks and blocks the hostís address with a
firewall rule. http://sshguard.sourceforge.net/
And there are plenty more out there to add to that list.
Hope that helps.