Re: openbsd fail2ban
I managed to find my old powerbook yesterday and copied the sources on a pen drive. Kinda looks like a time capsule for me. Openbsd complained about being initialized after 600+ days... As I said before, this program has worked for me. It was a single installation and only two admins... A single connection to a specific port enables ssh by adding the source IP to a white list. Another connection to other port removes the access. It could be written in a smarter way and also could have lots of features (like timing expiration) but it would be overkill for our need. enjoy! On Thu, Nov 6, 2008 at 3:49 PM, Marcus Andree [EMAIL PROTECTED] wrote: I've written a small program about 5 years ago. It was a daemon that implemented a service similar to port knocking but entirely in user level, calling pfctl by exec() system calls to insert/remove remote IP addresses in a pf table holding machines able to connect to the ssh daemon via port 22. It was a ugly hack but it worked for us. I shall have a backup copy somewhere on my powerbook at home... On Thu, Nov 6, 2008 at 3:33 PM, Charlie Clark [EMAIL PROTECTED] wrote: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052 [demime 1.01d removed an attachment of type application/x-gzip which had a name of portctrl.tar.gz]
Re: openbsd fail2ban
2008/11/6, Charlie Clark [EMAIL PROTECTED]: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Have you tried sshguard? I disabled remote password logins and stopped worrying about it. No key, no entry.
openbsd fail2ban
Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: openbsd fail2ban
2008/11/6 Charlie Clark [EMAIL PROTECTED]: I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Yes. RTFAQ. Best Martin
Re: openbsd fail2ban
-Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Charlie Clark Gesendet: Donnerstag, 6. November 2008 18:34 An: misc Betreff: openbsd fail2ban Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052 you can use pf, I think. Put something like this in your pf.conf: table ssh-bruteforce block drop in log quick from ssh-bruteforce to any pass in $log_pass_ext \ on $ext_if \ inet proto tcp \ from any\ to $ext_if port 22 \ flags S/SA \ keep state \ (max-src-conn-rate 3/30,overload ssh-bruteforce flush global) and pf will move offending source ip to the bruteforce table and subsequently drop these packet
Re: openbsd fail2ban
I've written a small program about 5 years ago. It was a daemon that implemented a service similar to port knocking but entirely in user level, calling pfctl by exec() system calls to insert/remove remote IP addresses in a pf table holding machines able to connect to the ssh daemon via port 22. It was a ugly hack but it worked for us. I shall have a backup copy somewhere on my powerbook at home... On Thu, Nov 6, 2008 at 3:33 PM, Charlie Clark [EMAIL PROTECTED] wrote: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: openbsd fail2ban
Hi Marcus, If you come across this program again would I be able to steal it off of you, it will implement it as suggested before using pf state table tracking but your program sounds very interesting and I would still like to see it. Thank you everyone for your answers. Thanks, Charlie Marcus Andree wrote: I've written a small program about 5 years ago. It was a daemon that implemented a service similar to port knocking but entirely in user level, calling pfctl by exec() system calls to insert/remove remote IP addresses in a pf table holding machines able to connect to the ssh daemon via port 22. It was a ugly hack but it worked for us. I shall have a backup copy somewhere on my powerbook at home... On Thu, Nov 6, 2008 at 3:33 PM, Charlie Clark [EMAIL PROTECTED] wrote: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052 -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: openbsd fail2ban
On 17:33, Thu 06 Nov 08, Charlie Clark wrote: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Have a look at this section of the FAQ: http://www.openbsd.org/faq/pf/filter.html#stateopts What you are interested in is the sample using 'overload' and 'flush' -- Michiel van Baak [EMAIL PROTECTED] http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD Why is it drug addicts and computer aficionados are both called users?
Re: openbsd fail2ban
You'd be free to do whatever you want with it. I'll see I can find the source. I'm pretty sure there's a copy on my old powerbook. It was written for linux and openbsd and we used for an ad-hoc authentication method to manage a remote machine over the unsecure internet. Never did any security auditing on the code, but I don't think there's anything wrong with it. There was one or two things that I'd like to have the time to implement, like privilege separation but that's all. But, as I said before, it is a ugly hack... :) On Thu, Nov 6, 2008 at 3:57 PM, Charlie Clark [EMAIL PROTECTED] wrote: Hi Marcus, If you come across this program again would I be able to steal it off of you, it will implement it as suggested before using pf state table tracking but your program sounds very interesting and I would still like to see it. Thank you everyone for your answers. Thanks, Charlie Marcus Andree wrote: I've written a small program about 5 years ago. It was a daemon that implemented a service similar to port knocking but entirely in user level, calling pfctl by exec() system calls to insert/remove remote IP addresses in a pf table holding machines able to connect to the ssh daemon via port 22. It was a ugly hack but it worked for us. I shall have a backup copy somewhere on my powerbook at home... On Thu, Nov 6, 2008 at 3:33 PM, Charlie Clark [EMAIL PROTECTED] wrote: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052 -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: openbsd fail2ban
2008/11/6, Charlie Clark [EMAIL PROTECTED]: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Have you tried sshguard?
Re: openbsd fail2ban
On Thu, Nov 06, 2008 at 05:33:41PM +, Charlie Clark wrote: I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Yes, but why would you want to do that? It doesn't help in any real sense - weak passwords are still weak and may still fall to a distributed attack. and strong passwords or keys are pretty much impossible to guess anyway. Meanwhile, it's at least a little complex, takes some time to set up, and has nasty failure modes. Joachim
Re: openbsd fail2ban
If you're just tired of the noise, consider moving SSH to a different port. It provides no greater security but helps with some of the annoyance. -HKS On Thu, Nov 6, 2008 at 2:34 PM, Joachim Schipper [EMAIL PROTECTED] wrote: On Thu, Nov 06, 2008 at 05:33:41PM +, Charlie Clark wrote: I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Yes, but why would you want to do that? It doesn't help in any real sense - weak passwords are still weak and may still fall to a distributed attack. and strong passwords or keys are pretty much impossible to guess anyway. Meanwhile, it's at least a little complex, takes some time to set up, and has nasty failure modes. Joachim
Re: openbsd fail2ban
On 2008-11-06, Joachim Schipper [EMAIL PROTECTED] wrote: On Thu, Nov 06, 2008 at 05:33:41PM +, Charlie Clark wrote: I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Yes, but why would you want to do that? It doesn't help in any real sense It helps reduce use of CPU and the /var/log disk. But so does the simpler block proto tcp to port ssh / pass proto tcp from ADMIN_NETS to port ssh.
Re: openbsd fail2ban
One more vote for sshguard, I use it here with success, just need to create a rule like: block in on $ext_if proto tcp from sshguard to any port ssh And run sshguard, it will get any host trying random passwords with no success to the sshguard table. Don't know it there are any alternative more openbsd focused. Alexander Polakov escreveu: 2008/11/6, Charlie Clark [EMAIL PROTECTED]: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Have you tried sshguard?