ss.h.i.t alternatives || other brute force blockers?

[dave]

I have used security/ss(h)(i)(t) to block IPs that make attacks on SSH in the past. I notice that it really doesnt work very well on 7 because auth.log lists hostnames now instead of just IPs.

The forum profanity blocker does not allow the port name, but you will see it in the link below...

See: http://www.freebsd.org/cgi/query-pr.cgi?pr=115210

Are there any good alternatives?

Other suggestions are welcome.

Thanks!

 

[lme@]

Are there any good alternatives?

Yes, using public key authentication. Blocking IP addresses automatically is very dangerous.

 

[antik]

Other suggestions are welcome.

Thanks!

I am using security/denyhosts for couple of years already and it just works. Usually I configure it to forget blocked IP-addresses after 20minutes- in case you block yourself out of your box.

 

[SirDice]

security/sshguard works with IP Filter, PF and IPFW.

http://www.freshports.org/search.ph...leted&start=1&casesensitivity=caseinsensitive

 

[dave]

Thanks for suggestions. My particular requirements make it such that I can block IPs without worry, but I still like to use a system that will only block for a while. Thanks for the suggestions. I will check them out.

 

[chrcol]

if you utilise a auto blocking system I would only do so on ssh if it has a whitelist feature for own ip address.

 

[harisman]

@chrcol
You can use denyhosts to block the attackers through firewall as well as antik already said.
This can be done by writing custom denyhosts plugins and whitelisting the valid ones.
You can see below my configuration using pf:

/usr/local/share/denyhosts/plugins/pf_deny.sh
#!/bin/sh
/sbin/pfctl -t badhosts -Tadd $1

/usr/local/share/denyhosts/plugins/pf_purge.sh
#!/bin/sh
/sbin/pfctl -t badhosts -Tdel $1

/etc/pf.conf
.
.
table <badhosts> persist file "/etc/hosts.evil"
block drop in quick log on $ext_if from <badhosts> to any
.
.

/usr/local/etc/denyhosts.cfg
.
.
HOSTS_DENY = /etc/hosts.evil
PLUGIN_DENY=/usr/local/share/denyhosts/plugins/pf_deny.sh
PLUGIN_PURGE=/usr/local/share/denyhosts/plugins/pf_purge.sh
ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES
.
.


/usr/local/share/denyhosts/data/allowed-hosts
localhost
127.0.0.1
192.168.34.100



/etc/hosts.allow
.
.
ALL : /etc/hosts.evil : deny

 

[danger@]

you may find my tool usefull, it supports also whitelisting features -- it's under security/bruteforceblocker

 

[myst]

Are there any good alternatives?

Other suggestions are welcome.

Thanks!

Try to use port knocking:
"Port knocking is a stealthy network authentication system that uses closed ports to carry out identification of trusted users."
http://www.portknocking.org
imho very good alternative to ipblacklistning.

 

[SirDice]

if you utilise a auto blocking system I would only do so on ssh if it has a whitelist feature for own ip address.

sshguard only blocks for an hour (configurable). So if you manage to type your own password wrongly 5 times in 2 minutes you're blocked but the blockade is automatically removed after 60 minutes. It stops all those damned bruteforcers except a few braindead ones. Those end up getting added permanently by yours truly.

 

[chrcol]

thanks guys I will look into sshguard as a friend on irc has also reccomended it to me.

 

[cajunman4life]

I too use denyhosts, and you are able to configure blocking. For example, if someone from IP x.x.x.x attempts to log in using an invalid name (which is 99.7% of the failed login attempts my box gets) it is blocked for good. If IP y.y.y.y attempts to log in with a valid name, it is blocked for 15 minutes (in case you type your password wrong 3 times on a monday morning after a holiday weekend). Root logins are blocked forever (as root login is not allowed remotely on my box).

 

[dave]

I have loaded up denyhosts and it seems great. Easy setup, and very effective.