Blocking the really resourceful brutes: the time limit for max-src-conn-rate rule
Hi everyone, I don't know how many of you have noticed this, but my mailserver has become the victim of what seems to be a new kind of dictionary attack. I'm seeing connections from literally hundreds of different hosts, working as an evident botnet, that connect via ssh and try various passwords. While I'm not terribly concerned with the password strength of most users who have ssh access (it's not many either), I'm still very irritated by this. What makes this a challenge to stop or block is the fact that each specific host only attempts to connect once every 4-5 hours usually, though in rare instances, it will connect every 1.5-2 hours. What I've done this morning on the machine running pf to try and get this under control is setup a max-src-conn-rate rule of 2/4000, and setup a redirect from the firewall/router running openbsd/pf to the mailserver with a pass rule so that I don't get blocked out of it myself! (Though the mailserver is behind a router, it has a routable IP, making this option viable). My question is, will this seemingly HUGE time interval even work in pf? Has anyone else seen this sort of thing, and what have you done to mitigate this? For the record, I know about ssh keys, and it's in fact setup on other machines, but for various reasons, I can't enable it just yet on this one.
Re: Blocking the really resourceful brutes: the time limit for max-src-conn-rate rule
I don't know how many of you have noticed this, but my mailserver has become the victim of what seems to be a new kind of dictionary attack. I have not been paying much attention to your mailserver. ;-) Has anyone else seen this sort of thing, and what have you done to mitigate this? For the record, I know about ssh keys, and it's in fact setup on other machines, but for various reasons, I can't enable it just yet on this one. Security is always a trade-off. I've heard many reasons why keys don't work for various situations and very few of them make any sense. Whatever reason people say, it is really almost always a matter of very slight inconvenience. But ok, no keys for now... Do you really need to allow ssh through your firewall from everywhere in the world? Probably you don't. Allow it from where you need it and block elsewhere. Can you use authpf to only allow other ssh connections by authorized IPs? There are other ways, I'm sure. Pretty much all of the ways I like will have one thing in common: deny all by default and allow specific approved hosts/networks. The other way, the popular way, is to try to put individual hosts in a blacklist for bad behavior. There are too many script kiddies and zombie machines for that to be effective. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Blocking the really resourceful brutes: the time limit for max-src-conn-rate rule
can't you map ssh to a high port on the firewall? that way your clients are the only ones that know the port. If a botnet manages to find the port you can always change it to another one and inform your clients. On Nov 29, 2008, at 16:37, Sandro wrote: Hi everyone, I don't know how many of you have noticed this, but my mailserver has become the victim of what seems to be a new kind of dictionary attack. I'm seeing connections from literally hundreds of different hosts, working as an evident botnet, that connect via ssh and try various passwords. While I'm not terribly concerned with the password strength of most users who have ssh access (it's not many either), I'm still very irritated by this. What makes this a challenge to stop or block is the fact that each specific host only attempts to connect once every 4-5 hours usually, though in rare instances, it will connect every 1.5-2 hours. What I've done this morning on the machine running pf to try and get this under control is setup a max-src-conn-rate rule of 2/4000, and setup a redirect from the firewall/router running openbsd/pf to the mailserver with a pass rule so that I don't get blocked out of it myself! (Though the mailserver is behind a router, it has a routable IP, making this option viable). My question is, will this seemingly HUGE time interval even work in pf? Has anyone else seen this sort of thing, and what have you done to mitigate this? For the record, I know about ssh keys, and it's in fact setup on other machines, but for various reasons, I can't enable it just yet on this one.
