[nycbug-talk] SSH attacks

[Yarema]

Steven Kreuzer wrote:
> Yarema wrote:
>> Hey, is anyone else seeing an upsurge in distributed SSH attacks over
>> the past week or two?
>>
>> This annoyed me enough to get me reading The Book of PF.  I've been
>> using the BlockSSHd script to block and send me notices by watching
>> auth.log.  Problem was that durring heavy attacks my INBOX would get
>> fooded.  And the reaction time was a bit slow.
>>
>> A couple of meetings ago Steven Kreuzer suggested I use PF's
>> max-src-conn method.  Works like a charm. 
> Glad I can help. I will send you the routing number for my Cayman Island
> offshore holding subsidiary and you can just deposit my consulting fee
> into that

:)

>> I also use the pam_af plugin.  It never gets a chance to block anything,
>> but provides useful info on when and where a login was coming from.
>>   
> Out of curiosity, would you be able to take the IPs you are blocking and
> try and figure out the country most of these connections are coming from?

Based on a random sampling of the ones I ran through whois they seem to
be comming from all over the place.. Europe, South America..  they try
the same login from multiple IP addresses.

> If you don't ever expect to get connections from China and Korea, you
> can load the following into pf and pretend like they don't even exist.
> 
> http://www.openbsd.org/spamd/chinacidr.txt.gz
> http://www.openbsd.org/spamd/koreacidr.txt.gz

I use the China/Korea lists in my spamd setup..  Caused a humorous
incident when I filed a PR to update spamd and the maintainer couldn't
get back to me because he was emailing me from China.

-- 
Yarema