[nycbug-talk] SSH attacks

Yarema yds at CoolRat.org
Wed Sep 10 14:09:27 EDT 2008

Andy Kosela wrote:
> On Wed, Sep 10, 2008 at 7:11 PM, Yarema <yds at coolrat.org> wrote:
>> Hey, is anyone else seeing an upsurge in distributed SSH attacks over
>> the past week or two?
>> <snip>
> The best defense against such attacks is just to allow SSH connections
> only for specific hosts/subnets. If you really need to allow the whole
> world to access your SSH port just use a nonstandard one and put it
> behind some good firewall. We are using Juniper Netscreen for that.
> Logs are clean.
> If you can't put it behind firewall even editing /etc/hosts.allow can help.

Thanks, I do need SSH to be wide open.  The non-standard port method has
been debated many a time and I lean against security by obscurity.

I was just thinking that I need to look into Juniper stuff in case a
client requests a commercially supported firewall.  In my situation I
don't see what Juniper can do that I can't with the two CARPed FreeBSD
firewalls I'm running.  Juniper is based on FreeBSD after all.

Based on what I've seen in the logs, the problem with these attacks is
that not that I'm worried of a successful break in.  It's the
overwhelming resource clogging they cause.

Anyway the solution I described in my initial post gets the job done
admirably.  PF's reaction time to block an attacking IP is sometimes
faster than sshd can print the login prompt to the attacker.  This based
on multiple messages I'm now finding in the auth.log which read

sshd[nnnn]: Could not write ident string to xxx.xxx.xxx.xxx

PF with max-src-conn-rate set to no more than 5 connections within 3
seconds from the same IP kicks ass is all I gatta say!


More information about the talk mailing list