On Mon, Nov 26, 2007 at 06:56:51PM -0800, badeguruji wrote:
> I just discovered by chance that, someone is
> constantly trying to break into my openbsd box from:
>
> 201.244.17.162 [corporativos24417-162.etb.net.co]
> 203.113.85.26
> 211.20.79.85
> 71.159.221.78
> 82.207.116.209
>
> whois details on each IP go to South America, Bangkok,
> Taiwan... all over the world! Although i have sent
> email to the email address in whois output, but the
> attacker may be spoofing the IP.
>
> By the pattern of attempt i can tell it is the same
> user. I am asking the communitie's help to how to
> block and, more properly, punish this unethical user.
> this user is running the attack constantly. I will
> have to shutdown the box for now and come back at
> later time when someone had posted some solution on
> the list.
>
> My box is behind router-NAT which is allowing ssh. I
> am not sure how this guy can get to my box which has
> pvt IP address from the internet thru the firewall.
To clarify: the box under attack is behind a router that does NAT and
general firewalling. The box is set up to have sshd listening on the
external interface and the router does NAT but allows ssh traffic to
come in. I'm assuming that you want the box that is under attack to
offer ssh service to the internet. Your problem is that someone is
knocking a lot on that port.
>
> I looked for blocking access depending on source IP in
> my dsl-router, but it is not that versatile.
What about putting pf on the OBSD box and blocking based on source IP
that way. On the other hand, if instead of blacklisting some IPs, you
want to whitelist some (only allowing from certain IPs) there is the
from="pattern-list" sshd option.
>
> I have now also setup hosts.allow and DenyUsers/Groups
> in ssh config. is that enough?
>
It depends on what your actual concern is. Are the hits impacting on
bandwidth? Are they tying up the server so that they result in a denial
of serivce?
Do you just want to tighten up sshd?
don't allow root logins.
limit logins to a specific group (e.g. create an ssh group).
if it works for the legitimate ssh users, only use pub-key
logins.
Ofcourse, if you don't want the box to listen on the external interface
at all, set up ListenAddress approprately.
Doug.
