[nycbug-talk] SSH attacks

[Steven Kreuzer]

Yarema wrote:
> Hey, is anyone else seeing an upsurge in distributed SSH attacks over
> the past week or two?
>
> This annoyed me enough to get me reading The Book of PF.  I've been
> using the BlockSSHd script to block and send me notices by watching
> auth.log.  Problem was that durring heavy attacks my INBOX would get
> fooded.  And the reaction time was a bit slow.
>
> A couple of meetings ago Steven Kreuzer suggested I use PF's
> max-src-conn method.  Works like a charm. 
Glad I can help. I will send you the routing number for my Cayman Island 
offshore holding subsidiary
and you can just deposit my consulting fee into that

> I also use the pam_af plugin.  It never gets a chance to block anything,
> but provides useful info on when and where a login was coming from.
>   
Out of curiosity, would you be able to take the IPs you are blocking and 
try and figure out
the country most of these connections are coming from?

If you don't ever expect to get connections from China and Korea, you 
can load the following
into pf and pretend like they don't even exist.

http://www.openbsd.org/spamd/chinacidr.txt.gz
http://www.openbsd.org/spamd/koreacidr.txt.gz

SK