Admins warned of brute-force SSH attacks

Admins warned of brute-force SSH attacks
Robert Lemos, SecurityFocus 2008-05-14

Allowing secure shell access to a server tends to attract the occasional attempt to guess a valid username and password for the service. However, a spike in attacks this week has system administrators worried.

Expand all | Post comment

Admins warned of brute-force SSH attacks 2008-05-15
Justin

Admins warned of brute-force SSH attacks 2008-05-15
DooMRunneR (1 replies)

Re: Admins warned of brute-force SSH attacks 2008-05-16
Anonymous

Admins warned of brute-force SSH attacks 2008-05-15
Anonymous (1 replies)

Re: Admins warned of brute-force SSH attacks 2008-05-19
Anonymous

...and here's how to do it on OpenBSD with pf:

table scanners persist file "/etc/scanners"

[...]

block in quick log on $ext_if proto tcp from scanners to $ext_if port ssh

[...]

pass in on $ext_if proto tcp from any to $ext_if port ssh flags S/SA keep state (max-src-conn-rate 3/60, overload scanners flush global)

These three lines in /etc/pf.conf ensures that hosts which fails 3 logon attempts in 1 minute are blocked.

I'm not sure what the state of pf for FreeBSD is at the moment, but this functionality (rate-limiting in pf) has been available for OpenBSD since 3.7, which is like 3 years ago.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11518/35112#35112

Admins warned of brute-force SSH attacks 2008-05-15
Anonymous

Admins warned of brute-force SSH attacks 2008-05-16
Jeff Sadowski

Admins warned of brute-force SSH attacks 2008-05-17
Anonymous

Admins warned of brute-force SSH attacks 2008-05-27
Anonymous

Admins warned of brute-force SSH attacks 2008-11-28
Anonymous