At 2:11 AM -0600 6/30/05, Steve Williams wrote:
Tonight I got 800+ attempts from the same IP. I played with manually blocking the IP, but it was over before I got the firewall rules written and looked over them twice. Is there any way to block/limit the number of connections to a port in a given time period? I was getting around 5 connects per second from the same IP/PORT (in Hungary :-( ).
Many people have noticed similar problems on their machines, and there are a few more tools to react to the attacks: http://pfsense.com/cgi-bin/cvsweb.cgi/tools/sshlockout_pf.c This is a simple program which you use by piping the auth output from syslog into. It scans that output, and adds ip addresses to a table in 'pf'. You would then have your pf.conf file do "what you want" with that list of addresses. It is a very simple program, but you could always add whatever bells and whistles you want to it. A friend of mind wrote something similar at about the same time, using perl. His was written for FreeBSD and ipfw, but would be easy to adapt. The main difference is that his setup supports the idea that these blocking-rules should expire after awhile. http://www.chrismasto.com/software/ssh_ipfw/ In my case, I also have a simple set of grep and sed commands which can scan any file (usually /var/log/auth.log), and generate rules to add to /etc/hosts.allow. Not as automatic, but the host in question doesn't have 'pf' setup on it yet... The important point is to debug that set of commands after the first attack, so that when a second attack comes (and it will...) you can just run your script to generate the rules you need. Still, this is certainly not as good as any of the automatic solutions. As to the speed of connections, I've been meaning to check into the idea that every ssh session would see some short delay (maybe 1/2 of a second). Something where syslog would see any failure message immediately, but the incoming connection would always see that extra delay. I'm not sure that would really help much, but it might make me feel a little better... As you can tell from all these solutions, there are many people seeing the same kinds of attacks that you've been seeing. Here at RPI, we're getting so we're simply going to block ssh from *anywhere* off-campus to almost all on-campus hosts. Legitimate users will have to use our VPN gateway when they are off campus and want to ssh to some host on campus. -- Garance Alistair Drosehn = [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Institute or [EMAIL PROTECTED]
