hubertf's NetBSD Blog
Send interesting links to hubert at feyrer dot de!
 
[20060107] Fighting ssh password guessing attempts (Update #2)
If you've looked in your /var/log/authlog recently, it's likely that you seem something like:
 Dec 11 09:21:50 xxx sshd[15335]: Failed password for root from 220.[...]
 Dec 11 09:21:53 xxx sshd[2720]: Failed password for root from 220.13[...]
 Dec 11 09:21:56 xxx sshd[7260]: Failed password for root from 220.13[...]
 Dec 11 09:22:28 xxx sshd[1762]: Illegal user enterprise from 220.135[...]
 Dec 11 09:22:31 xxx sshd[20415]: Illegal user release from 220.135.88.151
 Dec 11 09:22:34 xxx sshd[2405]: Illegal user release from 220.135.88.151
 Dec 11 09:22:37 xxx sshd[27329]: Illegal user release from 220.135.88.151
 Dec 11 09:22:40 xxx sshd[22310]: Illegal user release from 220.135.88.151 
While I know that NetBSD will withstand those annoying attempts as long as accounts are protected by good passwords (or even better, SSH keys), I sometimes wish to lock out people doing those attempts.

And there's help, in the form of a blog article (found via the #NetBSD Community Blog) describing how to use pop-before-smtp and IPfilter to firewall those people into eternity. (As far as I understand, the pop-before-smtp thing is mostly used to emulate 'tail -f', so I dare saying the meat of that article could be rewritten to only use tools that come with NetBSD. Any takers? Send URL! :)

Update: Ian Spray has taken the challenge and made a version that only uses tools that come with NetBSD. See his blog entry!

Update #2: Geert also brought this variant to my attention, which convers IPFilter, PF and IPFW (For FreeBSD, obviously). He found it in the BSDWiki.

[Tags: , , , ]


Disclaimer: All opinion expressed here is purely my own. No responsibility is taken for anything.

Access count: 27787849
Copyright (c) Hubert Feyrer