[nycbug-talk] SSH attacks

Max Gribov max at neuropunks.org
Wed Sep 10 13:28:29 EDT 2008


Yarema wrote:
> Hey, is anyone else seeing an upsurge in distributed SSH attacks over
> the past week or two?
>   
theres this:
http://www.informationweek.com/news/software/linux/showArticle.jhtml?articleID=210201115



> This annoyed me enough to get me reading The Book of PF.  I've been
> using the BlockSSHd script to block and send me notices by watching
> auth.log.  Problem was that durring heavy attacks my INBOX would get
> fooded.  And the reaction time was a bit slow.
>
> A couple of meetings ago Steven Kreuzer suggested I use PF's
> max-src-conn method.  Works like a charm.  I now limit inbound ssh
> connections to max-src-conn 100, max-src-conn-rate 5/3.  With this
> tuning for SSH they get one, maybe two, login attempts before PF adds
> them to the block table.  That's below the threshold for BlockSSHd to
> react and send me a block notice.  Looks to me like this tuning is doing
> exactly what I want.  The reaction time to block an attack is now one
> second or less.  My INBOX is not getting flooded any more.  And all the
> legit traffic gets through just as before.  If not better since the
> firewall/router doesn't have to work as hard.
>
> I also use the pam_af plugin.  It never gets a chance to block anything,
> but provides useful info on when and where a login was coming from.
>
>   




More information about the talk mailing list