[nycbug-talk] SSH attacks
max at neuropunks.org
Wed Sep 10 13:28:29 EDT 2008
> Hey, is anyone else seeing an upsurge in distributed SSH attacks over
> the past week or two?
> This annoyed me enough to get me reading The Book of PF. I've been
> using the BlockSSHd script to block and send me notices by watching
> auth.log. Problem was that durring heavy attacks my INBOX would get
> fooded. And the reaction time was a bit slow.
> A couple of meetings ago Steven Kreuzer suggested I use PF's
> max-src-conn method. Works like a charm. I now limit inbound ssh
> connections to max-src-conn 100, max-src-conn-rate 5/3. With this
> tuning for SSH they get one, maybe two, login attempts before PF adds
> them to the block table. That's below the threshold for BlockSSHd to
> react and send me a block notice. Looks to me like this tuning is doing
> exactly what I want. The reaction time to block an attack is now one
> second or less. My INBOX is not getting flooded any more. And all the
> legit traffic gets through just as before. If not better since the
> firewall/router doesn't have to work as hard.
> I also use the pam_af plugin. It never gets a chance to block anything,
> but provides useful info on when and where a login was coming from.
More information about the talk