Re: limit number of ssh connections
> From owner-freebsd-questi...@freebsd.org Mon Sep 19 19:12:32 2011 > From: mer...@stonehenge.com (Randal L. Schwartz) > To: Paul Macdonald > Date: Mon, 19 Sep 2011 17:12:14 -0700 > Cc: James Strother , freebsd-questions@freebsd.org > Subject: Re: limit number of ssh connections > > >>>>> "Paul" == Paul Macdonald writes: > > Paul> in my experience running ssh on a high port cuts the amount of > Paul> unwanted ssh connections to approximately zero, in fact i got a > Paul> surprise when seeing a sec log from a box which i hadn't done this > Paul> for > > I run sshd on 443 (for firewall-bending reasons), and the only > connections I see there are people trying to break into the web. Never > an actual sshd hit. :) A wise man said: "this belongs in the "security for dummies" pile right along with "turning off your SSID announce" and "use MAC address filtering" when people talk about wifi "security". All three are useless and give you a false sense of having "increased" security. IT is worthy of note that 'merely' running sshd on an 'unconventional' port provides _less_ of an increase in security than portknocking does. :) That said, _I_ also run sshd on the "well-known port" for unrelated services. *NOT* because I have a belief it provides any increase in security -- it _doesn't_ -- but simply to eliminate the script-kiddie 'doorknob rattling' 'clutter' from the logs. Making it far easier to see a truely 'targeted' attempt. 'Clutter elimination' makes it -- *or* portknocking -- "worth doing" even though neither provide any "measurable" increase in 'real' security. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
On Mon, Sep 19, 2011 at 05:11:28PM -0700, Randal L. Schwartz wrote: > > "Григорьев" == Григорьев Александр writes: > > Григорьев> If your target is protect freebsd box from bruting passwords > Григорьев> from inet maybe security/knockd will help you? > > Portknocking adds only a dozen bits or so to your password. Do you > really think it helps to go from a 1024-bit key to a 1036-bit? In other > words, Portknocking belongs in the "security for dummies" pile right > along with "turning off your SSID announce" and "use MAC address > filtering" when people talk about wifi "security". All three are > useless and give you a false sense of having "increased" security. I'd say, rather, that it's useful in deflecting the drive-by, casual cracking attempts, but not as real security against a more sophisticated attack. It's nice to have cleaner logging sometimes -- which is the real benefit of such techniques, rather than security per se. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] pgpZvrddJ0hZg.pgp Description: PGP signature
Re: limit number of ssh connections
> "Paul" == Paul Macdonald writes: Paul> in my experience running ssh on a high port cuts the amount of unwanted ssh Paul> connections to approximately zero, in fact i got a surprise when seeing a sec Paul> log from a box which i hadn't done this for I run sshd on 443 (for firewall-bending reasons), and the only connections I see there are people trying to break into the web. Never an actual sshd hit. :) -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
> "Григорьев" == Григорьев Александр writes: Григорьев> If your target is protect freebsd box from bruting passwords Григорьев> from inet maybe security/knockd will help you? Portknocking adds only a dozen bits or so to your password. Do you really think it helps to go from a 1024-bit key to a 1036-bit? In other words, Portknocking belongs in the "security for dummies" pile right along with "turning off your SSID announce" and "use MAC address filtering" when people talk about wifi "security". All three are useless and give you a false sense of having "increased" security. The real security is disable plaintext passwords. Then no amount of bruteforce will ever get in. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
> Does anyone know a good way of limiting the number of ssh attempts > from a single IP address? > > I found the following website, which describes a variety of approaches: > > http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins > > > But I am honestly not really happy with any of them. Continuously > polling log files for regex hits seems...well crude. Just to give you > an idea of what I mean, here were some of the issues I had. The > sshd-scan.sh script allows IPs to be reinstated, but the timing is > dependent on how frequently you rotate logs. sshguard has a pretty > website, but I can't actually find much useful documentation on how to > configure it. fail2ban looks like it might work with sufficient work, > but the defaults are terrible. By default, every time an IP is > reinstated, all IPs are reinstated. Not to mention, at present I > can't seem to get it to trigger any hits. > > I suppose I could keep shopping, but the truth is I just think polling > log files is the wrong way to solve the problem. Anything based on > this approach is going to have a long latency and be highly dependent > on the unspecified and unstable formatting of log files (see > http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) > and the troubles an exclamation point can cause). > > I would much much rather do something like this: > > http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ > > Does anyone know a way to do something similar with ipfw? > > > Thanks in advance, > Jim Maybe you mean something like this?! http://home.nuug.no/~peter/pf/en/bruteforce.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: limit number of ssh connections
Moving ssh to another port has solved the problem for me. I had used sshguard in the past, but was always leery of locking myself out. Regards, Matt Emmerton -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of James Strother Sent: Monday, September 19, 2011 5:47 PM To: freebsd-questions@freebsd.org Subject: Re: limit number of ssh connections Wow, I'm glad I asked. This has been very helpful. @Григорьев Александр Thanks for the tip on inetd, that looks like it might just do the trick. @Paul Macdonald My main reason for looking into this was glancing through the logs on a server I just put online and seeing large numbers of unauthorized login attempts. Everything so far is highly unsophisticated, but it did make me start to really think about the issue. I might put ssh onto a different port, that would at least stop the sort of fishing I am currently seeing. It's not clear if that would be "good enough." @Damien Fleuriot Have you had success with sshguard? Installed it from ports, but then I couldn't quite figure out how to configure it. To be honest, I didn't give it much of a chance before I moved on to the next thing, so if you've had good luck then I should probably give it another shot. I did flip through sshd_config, but as far as I can tell it is only possible to limit the number of concurrent connections. It might take a little longer, but I'm concerned it would still allow a malicious individual to sequentially brute-force a password. Thanks for all the responses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
On 9/19/2011 2:05 PM, James Strother wrote: Does anyone know a good way of limiting the number of ssh attempts from a single IP address? I found the following website, which describes a variety of approaches: http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins But I am honestly not really happy with any of them. Continuously polling log files for regex hits seems...well crude. Just to give you an idea of what I mean, here were some of the issues I had. The sshd-scan.sh script allows IPs to be reinstated, but the timing is dependent on how frequently you rotate logs. sshguard has a pretty website, but I can't actually find much useful documentation on how to configure it. fail2ban looks like it might work with sufficient work, but the defaults are terrible. By default, every time an IP is reinstated, all IPs are reinstated. Not to mention, at present I can't seem to get it to trigger any hits. I suppose I could keep shopping, but the truth is I just think polling log files is the wrong way to solve the problem. Anything based on this approach is going to have a long latency and be highly dependent on the unspecified and unstable formatting of log files (see http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) and the troubles an exclamation point can cause). I would much much rather do something like this: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ Does anyone know a way to do something similar with ipfw? Thanks in advance, Jim ___ They cannot attack what they cannot see. That's why I wrote this: http://www.tundraware.com/Software/tperimeter/ It allows you to restrict access to a fixed set of hosts (via tcpwrappers) but to dynamically request access from any host (via wrapper rewriting) so long as you have credentials to do so. The current version has a worst-case latency of 5 minutes from the time you remotely request ssh access be granted until it actually is. I am working toward an update that will grant the request immediately. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
Wow, I'm glad I asked. This has been very helpful. @Григорьев Александр Thanks for the tip on inetd, that looks like it might just do the trick. @Paul Macdonald My main reason for looking into this was glancing through the logs on a server I just put online and seeing large numbers of unauthorized login attempts. Everything so far is highly unsophisticated, but it did make me start to really think about the issue. I might put ssh onto a different port, that would at least stop the sort of fishing I am currently seeing. It's not clear if that would be "good enough." @Damien Fleuriot Have you had success with sshguard? Installed it from ports, but then I couldn't quite figure out how to configure it. To be honest, I didn't give it much of a chance before I moved on to the next thing, so if you've had good luck then I should probably give it another shot. I did flip through sshd_config, but as far as I can tell it is only possible to limit the number of concurrent connections. It might take a little longer, but I'm concerned it would still allow a malicious individual to sequentially brute-force a password. Thanks for all the responses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
Standard inetd(8) has many options including limiting connections based on IP-address. Can it help in this case? 20.09.2011, 00:02, "James Strother" : > That's an interesting project, I hadn't realized port knocking had > become so easy to use. > > Unfortunately, for this particular server, I need to be able to > provide a simple way for (a very limited number of) users to login > into the system remotely using a variety of OS platforms. So I don't > think port knocking is a good fit here. > > Thanks, > Jim > > 2011/9/19 Григорьев Александр : > >> If your target is protect freebsd box from bruting passwords from inet >> maybe security/knockd will help you? >> >> 19.09.2011, 23:05, "James Strother" : >>> Does anyone know a good way of limiting the number of ssh attempts >>> from a single IP address? >>> >>> I found the following website, which describes a variety of approaches: >>> >>> http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins >>> >>> But I am honestly not really happy with any of them. Continuously >>> polling log files for regex hits seems...well crude. Just to give you >>> an idea of what I mean, here were some of the issues I had. The >>> sshd-scan.sh script allows IPs to be reinstated, but the timing is >>> dependent on how frequently you rotate logs. sshguard has a pretty >>> website, but I can't actually find much useful documentation on how to >>> configure it. fail2ban looks like it might work with sufficient work, >>> but the defaults are terrible. By default, every time an IP is >>> reinstated, all IPs are reinstated. Not to mention, at present I >>> can't seem to get it to trigger any hits. >>> >>> I suppose I could keep shopping, but the truth is I just think polling >>> log files is the wrong way to solve the problem. Anything based on >>> this approach is going to have a long latency and be highly dependent >>> on the unspecified and unstable formatting of log files (see >>> http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) >>> and the troubles an exclamation point can cause). >>> >>> I would much much rather do something like this: >>> >>> http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ >>> >>> Does anyone know a way to do something similar with ipfw? >>> >>> Thanks in advance, >>> Jim >>> ___ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to >>> "freebsd-questions-unsubscr...@freebsd.org" > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
2011/9/19 Григорьев Александр : If your target is protect freebsd box from bruting passwords from inet maybe security/knockd will help you? 19.09.2011, 23:05, "James Strother": Does anyone know a good way of limiting the number of ssh attempts from a single IP address? Hi James, (not what you asked obv,) in my experience running ssh on a high port cuts the amount of unwanted ssh connections to approximately zero, in fact i got a surprise when seeing a sec log from a box which i hadn't done this for Paul. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
Again if your goal is to protect against attacks, you might want to look at sshguard from the ports. Otherwise I believe there's a sshd_config directive to limit the number of concurrent connections from a single source IP On 19 Sep 2011, at 22:02, James Strother wrote: > That's an interesting project, I hadn't realized port knocking had > become so easy to use. > > Unfortunately, for this particular server, I need to be able to > provide a simple way for (a very limited number of) users to login > into the system remotely using a variety of OS platforms. So I don't > think port knocking is a good fit here. > > Thanks, > Jim > > > > 2011/9/19 Григорьев Александр : >> If your target is protect freebsd box from bruting passwords from inet maybe >> security/knockd will help you? >> >> 19.09.2011, 23:05, "James Strother" : >>> Does anyone know a good way of limiting the number of ssh attempts >>> from a single IP address? >>> >>> I found the following website, which describes a variety of approaches: >>> >>> http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins >>> >>> But I am honestly not really happy with any of them. Continuously >>> polling log files for regex hits seems...well crude. Just to give you >>> an idea of what I mean, here were some of the issues I had. The >>> sshd-scan.sh script allows IPs to be reinstated, but the timing is >>> dependent on how frequently you rotate logs. sshguard has a pretty >>> website, but I can't actually find much useful documentation on how to >>> configure it. fail2ban looks like it might work with sufficient work, >>> but the defaults are terrible. By default, every time an IP is >>> reinstated, all IPs are reinstated. Not to mention, at present I >>> can't seem to get it to trigger any hits. >>> >>> I suppose I could keep shopping, but the truth is I just think polling >>> log files is the wrong way to solve the problem. Anything based on >>> this approach is going to have a long latency and be highly dependent >>> on the unspecified and unstable formatting of log files (see >>> http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) >>> and the troubles an exclamation point can cause). >>> >>> I would much much rather do something like this: >>> >>> http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ >>> >>> Does anyone know a way to do something similar with ipfw? >>> >>> Thanks in advance, >>> Jim >>> ___ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" >> > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
That's an interesting project, I hadn't realized port knocking had become so easy to use. Unfortunately, for this particular server, I need to be able to provide a simple way for (a very limited number of) users to login into the system remotely using a variety of OS platforms. So I don't think port knocking is a good fit here. Thanks, Jim 2011/9/19 Григорьев Александр : > If your target is protect freebsd box from bruting passwords from inet maybe > security/knockd will help you? > > 19.09.2011, 23:05, "James Strother" : >> Does anyone know a good way of limiting the number of ssh attempts >> from a single IP address? >> >> I found the following website, which describes a variety of approaches: >> >> http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins >> >> But I am honestly not really happy with any of them. Continuously >> polling log files for regex hits seems...well crude. Just to give you >> an idea of what I mean, here were some of the issues I had. The >> sshd-scan.sh script allows IPs to be reinstated, but the timing is >> dependent on how frequently you rotate logs. sshguard has a pretty >> website, but I can't actually find much useful documentation on how to >> configure it. fail2ban looks like it might work with sufficient work, >> but the defaults are terrible. By default, every time an IP is >> reinstated, all IPs are reinstated. Not to mention, at present I >> can't seem to get it to trigger any hits. >> >> I suppose I could keep shopping, but the truth is I just think polling >> log files is the wrong way to solve the problem. Anything based on >> this approach is going to have a long latency and be highly dependent >> on the unspecified and unstable formatting of log files (see >> http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) >> and the troubles an exclamation point can cause). >> >> I would much much rather do something like this: >> >> http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ >> >> Does anyone know a way to do something similar with ipfw? >> >> Thanks in advance, >> Jim >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
If your target is protect freebsd box from bruting passwords from inet maybe security/knockd will help you? 19.09.2011, 23:05, "James Strother" : > Does anyone know a good way of limiting the number of ssh attempts > from a single IP address? > > I found the following website, which describes a variety of approaches: > > http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins > > But I am honestly not really happy with any of them. Continuously > polling log files for regex hits seems...well crude. Just to give you > an idea of what I mean, here were some of the issues I had. The > sshd-scan.sh script allows IPs to be reinstated, but the timing is > dependent on how frequently you rotate logs. sshguard has a pretty > website, but I can't actually find much useful documentation on how to > configure it. fail2ban looks like it might work with sufficient work, > but the defaults are terrible. By default, every time an IP is > reinstated, all IPs are reinstated. Not to mention, at present I > can't seem to get it to trigger any hits. > > I suppose I could keep shopping, but the truth is I just think polling > log files is the wrong way to solve the problem. Anything based on > this approach is going to have a long latency and be highly dependent > on the unspecified and unstable formatting of log files (see > http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) > and the troubles an exclamation point can cause). > > I would much much rather do something like this: > > http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ > > Does anyone know a way to do something similar with ipfw? > > Thanks in advance, > Jim > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
limit number of ssh connections
Does anyone know a good way of limiting the number of ssh attempts from a single IP address? I found the following website, which describes a variety of approaches: http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins But I am honestly not really happy with any of them. Continuously polling log files for regex hits seems...well crude. Just to give you an idea of what I mean, here were some of the issues I had. The sshd-scan.sh script allows IPs to be reinstated, but the timing is dependent on how frequently you rotate logs. sshguard has a pretty website, but I can't actually find much useful documentation on how to configure it. fail2ban looks like it might work with sufficient work, but the defaults are terrible. By default, every time an IP is reinstated, all IPs are reinstated. Not to mention, at present I can't seem to get it to trigger any hits. I suppose I could keep shopping, but the truth is I just think polling log files is the wrong way to solve the problem. Anything based on this approach is going to have a long latency and be highly dependent on the unspecified and unstable formatting of log files (see http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) and the troubles an exclamation point can cause). I would much much rather do something like this: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ Does anyone know a way to do something similar with ipfw? Thanks in advance, Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"