opus
February 8th, 2005, 11:30
I have one machine that I allow outside SSH to. I notice gobs of attempts on it. What would be the simplest way to block these bad requests? Is there an IP blacklist somewheres? Or should I do something with my hosts file?
I could get a firewall running just for that machine if that would be best.
Just looking for ideas.
bsdjunkie
February 8th, 2005, 12:08
I wouldnt worry to much about these attempts. There are currently tons of these scans going on all over the world from compromised machines, and all they they are doing is trying to bruteforce simple user accounts and passswords. Thigs like test:test root:password or whatever. If you do feel like blocking, you could setup some rules with pf to dynamically block the IP addresses on the fly.
opus
February 8th, 2005, 12:13
Probably the easiest thing to do, is nothing. Its not like they will get the root password without a lot of work.
Strog
February 8th, 2005, 12:26
Make sure you have PermitRootLogin no in your /etc/ssh/sshd_config. They could hammer all day with the right password and still not get in that way. You can also replace the password field in vipw with * so root can't login at all. Just make sure your normal user can su correctly first. :wink: You could also use ssh keys and disable passwords altogether. No one could get in without your private key file. I keep mine on my usb key drive. :biggrin:
If you want to do something more then here's something I use for annoying people. I create a table in pf.conf that goes to a file and put IPs of these idiots in there. You could use snort w/ regex, grep authlog or add them by hand.
table <idiots> persist file "/etc/idiots"
block quick from <idiots> to any
You could use any or all of these methods you like.
opus
February 8th, 2005, 12:32
Awwww heck, I dont even know the root password anymore. One problem with making difficult passwords.
Interesting enough though......
elmore
February 8th, 2005, 12:46
here's a thread on undeadly which lists several things you can do:
http://undeadly.org/cgi?action=article&sid=20041231195454