Hi.
I set up a server with apache and ssh a few days ago and since then i've seen some attacks to my server, mostly with a dictionary, kind of trying to guess which is my user and password, fortunately none of them its my user, i dont think will be that easy (but no impossible) to guess my password since has some security, you know, numbers upcase lowercase and stuff like that. Mi question is when the attack starts, can anyone tell me please how to stop it? or some advice about security for my server?

i hope everyone has a nice afternoon, thanks

You can try any one of the following:

Firewall ssh and allow access from your own static IP only.

Use pf firewall to limit connection per second. See this example - http://keith.dev-x.net/2008/01/25/EnableAutomaticDefenceAganistSSHAttacksOnFreeBSDUs ingPF.aspx

Run ssh server on different port such as 322

Turn off password based authentication and only use ssh public key based authentication

Install denyhosts http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/denyhosts/ to drop attacking IPs.

Disable root login.

You may have a look at security/bruteforceblocker, too.

I use sshguard (http://www.freshports.org/search.php?query=sshguard&search=go&num=10&stype=name&method=match&deleted=excludedeleted&start=1&casesensitivity=caseinsensitive) which can use a variety of firewalls to block bruteforce attacks. Works like a charm.

http://forums.freebsd.org/misc.php?do=bbcode#port :)

Hey!
I'm new around this forum and already got some good info!!!
Thanks guys, i knew moving from Linux to FreeBSD wasn't bad idea!
I will be around and i will help this community...

http://forums.freebsd.org/misc.php?do=bbcode#port :)

security/sshguard only shows the sshguard port, not the slave ports ;)

I use denyssh , it is work good and work like charm . and it block many IP for me

denyssh should work with jails also. PF related tools needs real host operating system.

By just running your sshd on a higher port (like 44422) you'll reduce the number of BF attacks to almost 0.

If that isn't good enough, go for pf and or security/bruteforce and then you´ll have solved your problem =)

I use sshguard (http://www.freshports.org/search.php?query=sshguard&search=go&num=10&stype=name&method=match&deleted=excludedeleted&start=1&casesensitivity=caseinsensitive) which can use a variety of firewalls to block bruteforce attacks. Works like a charm.

I've increased the time an ip is kept in the ssguard table to 24 hours (-p 86400), so my daily security emails are shorter now :)

ps: i don't like to use services on non-standard ports, as i tend to forget the port ^^

ps: i don't like to use services on non-standard ports, as i tend to forget the port ^^me too. :D

I set up a server with apache and ssh a few days ago and since then i've seen some attacks to my server, mostly with a dictionary, kind of trying to guess which is my user and password

If you have limited number of users or only you - use public key rather than password auth and don't worry about the dictionary attacks.

If for some reason you need to keep password auth available, then consider using a firewall - pf - to limit what dictionary attackers can do. Here's a snippet from my pf configuration:

# view the table with "sudo pfctl -t ssh-offenders -T show"
table <ssh-offenders> persist
# offenders lose ssh and get nothing else either - nada
block drop in quick from <ssh-offenders> to any
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 50, max-src-conn-rate 4/10, overload <ssh-offenders> flush)

You'll start to see addresses show up in the table soon enough. What the rule does is add any IP which attempts to make a ssh connection 4 times in 10 seconds to the table ssh-offenders.

Want to see where they are coming from? Install GeoIP from /usr/ports/net/GeoIP, run ``sudo geoipupdate.sh`` to get the latest table installed, and then execute:

for ip in `sudo pfctl -t ssh-offenders -T show`;do echo -n "$ip";geoiplookup $ip;done | sed 's/GeoIP Country Edition: / /' | sort -t " " -k 2,2

You'll get output like the following (a real example of who has been attacking one of my servers just commissioned over the past few days):

201.48.0.117 BR, Brazil
117.32.129.38 CN, China
121.15.207.100 CN, China
123.233.245.226 CN, China
218.22.25.10 CN, China
219.134.242.67 CN, China
219.237.242.165 CN, China
221.122.102.17 CN, China
88.208.119.124 CZ, Czech Republic
217.219.67.86 IR, Iran, Islamic Republic of
194.177.97.103 IT, Italy
202.79.25.251 KH, Cambodia
93.95.65.44 MK, Macedonia
89.238.221.138 RO, Romania
140.113.217.150 TW, Taiwan
173.45.76.212 US, United States

Hi...
Thanks everybody, i fixed the problem using pf, just a couple of weeks ago, sorry i didnt replay is just the time in my work... you most know