[nycbug-talk] SSH attacks

Yarema yds at CoolRat.org
Wed Sep 10 13:11:34 EDT 2008

Hey, is anyone else seeing an upsurge in distributed SSH attacks over
the past week or two?

This annoyed me enough to get me reading The Book of PF.  I've been
using the BlockSSHd script to block and send me notices by watching
auth.log.  Problem was that durring heavy attacks my INBOX would get
fooded.  And the reaction time was a bit slow.

A couple of meetings ago Steven Kreuzer suggested I use PF's
max-src-conn method.  Works like a charm.  I now limit inbound ssh
connections to max-src-conn 100, max-src-conn-rate 5/3.  With this
tuning for SSH they get one, maybe two, login attempts before PF adds
them to the block table.  That's below the threshold for BlockSSHd to
react and send me a block notice.  Looks to me like this tuning is doing
exactly what I want.  The reaction time to block an attack is now one
second or less.  My INBOX is not getting flooded any more.  And all the
legit traffic gets through just as before.  If not better since the
firewall/router doesn't have to work as hard.

I also use the pam_af plugin.  It never gets a chance to block anything,
but provides useful info on when and where a login was coming from.


More information about the talk mailing list