Frank Richter wrote:
> is it possible to block 300 IP's easily with Mono?
> I want to block the ongoing ssh-brute-force-attempts (300 IP's) to me
> network. But in Mono
> it's only possible to block networks or single hosts (I will not add
> 300 rules).
> Is there a way may be hidden to add something like:
> ipfw add deny from x.x.x.x, y.y.y.y, w.w.w.w, v.v.v.v to destination
> port 22
> Or set an alias and this alias points to 300 IP's
> YvesDM wrote:
>> <m0n0wall dash help at lists dot m0n0 dot ch>
>> I think it's a better idea to simply not allow password based logins to your
>> ssh server and only use certificates for ssh logins.
>> Or you can limit ssh logins from a single ip which will also solve your
>> The way you want to do it keeps you going all the time, coz next week the
>> attacks come from somewhere else.
> Ryan Mullins wrote:
>> I hit the same problem all the time here in my home network.
>> Unfortunately, there's no good way to do this at the m0n0wall level
>> that I've found -- someone please correct me if they have found a
>> good way to deal with this e.g. 10 minute timer for a firewall rule.
>> The better way to deal with this IMHO is at the host.
>> Some options for you:
>> 1. Change the default port
>> Configure SSH daemon to listen on a non-standard port. Just edit the
>> sshd_config file and modify the value for Port, and make sure to
>> update your firewall rules for the NAT. This alone helps out a lot as
>> it stops those that are just scanning for SSH servers on their
>> default ports, any advanced port scanner will still find it, but it
>> does make a difference - this alone dropped most of the attacks on my
>> network by about 70%.
>> 2. Disable password authentication - use keyless logins
>> This will mean that you can only authenticate if you have the correct
>> private key. Make sure you keep an off box copy of these keys!!!
>> Especially if you're getting in remotely from a laptop. If you go
>> this route, do NOT use password-less keys, and have your ssh-agent
>> set up to not cache between logins. If you don't and someone steals
>> your laptop and logs in, they've basically got the keys to the
>> kingdom at that point. To disable password authentication on the
>> server, change the value of PasswordAuthentication to no in your
>> 3. Limit connections
>> You can also limit the number of SYN (connection establishment)
>> packets. This should be unnoticed by legitimate users, but it will
>> delay an attacker that is making repeated connections. If you wanted
>> to limit the rate to 3 per minute and were using port 2000:
>> iptables -A INPUT -p tcp -dport 2000 -syn -m limit -limit 1/m
>> -limit-burst 3 -j ACCEPT
>> iptables -A INPUT -p tcp -dport 2000 -syn -j DROP
>> (If you need other firewall commands, let me know. I'm just looking
>> on a local box here that's running iptables. :))
>> 4. Deploy Anti-Brute-Force Tools
>> sshd_sentry - SSHD Sentry is a Perl script that monitors SSH server
>> logs, detects repeated failed login attempts and adds the hosts to a
>> black list.
>> http://linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry - I
>> use this one, but mainly because it's perl and I can add anything
>> that I think is missing. :)
>> SSHBan - SSHban is simple daemon designed to ban attackers. Instead
>> of scanning SSH logs, SSHBan directly receives data from the logger.
>> SSHDFilter -SSHDFilter blocks the frequent brute-force attacks by
>> directly reading the SSH daemon logs and generating firewall rules to
>> block the attack. The blocking firewall policy is defined by a list
>> of block-rules. http://www.csc.liv.ac.uk/~greg/sshdfilter/
>> Brute-Force Detection -BFD is a shell script for parsing application
>> logs and checking for authentication failures and block the IP
>> address using custom firewall rules. http://www.rfxnetworks.com/bfd.php
>> SSHGuard - Protects networks from brute force attacks against ssh
>> firewall rule. http://sshguard.sourceforge.net/
>> And there are plenty more out there to add to that list.
> Lee Sharp wrote:
>> No, but...
>> First, let me add to Ryan, you can use fail2ban. I love this program!
>> It cuts a lot of garbage out.
>> Now that said, you need to expand your concept of network. Start by
>> sorting your ip addresses. Now do a 'whois' of one. See how many that
>> netblock hits. Block that netblock. Also do the same for your IP
>> addresses that you connect from, and allow them. For example, I use
>> AT&T dsl at home. It is in the netblock 18.104.22.168/12, and if I allow
>> only that I can still always connect. This may help...
>> With that approach, you can knock your 300 down to probably 10 or
>> less. Or allow only the subnet you are likely to use, which would
>> probably be 5 or less.
> Quark IT - Hilton Travis wrote:
Many thanks for all your suggestions. I've learned that blocking this
brute-force attempts on the firewall is not the right place.
I see in my logs that an attacker tries to connect to all my SSHD
(three) nearly simultaneously and then disappears for a long time (25h)
and the next attacker tries the same username and disappears again.
Changing port from 22 to something different is not possible also the
usage of keys;-(
But I will check some of the above-mentioned tools for detecting attacks.
I add another tool, to the above-mentioned, which is in FreeBSD
Portstree (I've not tested this currently, if its possible to detect and
block the attackers with it):
Many thanks again
Merry Chrismas and a Happy New Year!
> Best regards
> Frank Richter