--- On Sat, 11/15/08, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> From: Jeremy Chadwick <[EMAIL PROTECTED]>
> Subject: Re: Question about entry in auth.log
> To: "Lisa Casey" <[EMAIL PROTECTED]>
> Cc: freebsd-questions@freebsd.org
> Date: Saturday, November 15, 2008, 2:37 AM
> On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote:
>
> The individual in Romania *was not* able to log in as
> michael. The
> message you saw was sshd saying "Someone's trying
> to SSH in as user
> michael; SSH key negotiation failed, and now I'm asking
> them to type in
> their password manually".
>
> It's not a prank. Shady online individuals have
> written scripts/tools
> that repetitively beat on sshd, trying to find an account
> they can log
> in as. They're simply scanning for valid accounts, and
> they also often
> try many passwords over and over (common things, such as
> the username as
> a password).
>
> Welcome to the Internet circa 2008. :(
>
> "So how do I solve this problem?"
>
> The easiest way: change sshd to listen on a port *other*
> than 22. Many
> people pick 2222. This relieves 99% of the pain, but
> requires you to
> tell your users/co-workers/peers "My box listens on
> port 2222 for ssh,
> not 22".
>
> A secondary way: programs which monitor logs and add
> firewall block
> rules when they see too many brute force attempts coming
> from an IP
> address:
>
> ports/security/blocksshd
> ports/security/sshblock
> ports/security/sshguard
> (I think I forgot one more, but those are the main three)
I've considered writing an sshd patch for OpenSSH to add bad-authentication
throttling to it, such that where X number of invalid attempts featuring at
least Y different usernames in Z seconds from the same IP causes sshd to ignore
that IP outright for a given time. This would prevent syslog spam and not
require any third-party applications. I've written a socket abstraction
library that supports throttling of this sort internally, and it's actually
very easy to implement on its own. Implementing it in OpenSSH may be more or
less difficult depending on whether there's any central function that is called
*every* time an authentication attempt fails.
If a few folks respond saying "I'd sure like that patch!", I would likely
become more motivated to do so sooner.
- mdh
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
