ssh brute force attacks

Is there any reason you need to allow SSH from any IP address?

First thing I would do is set up hosts.deny and/or appropriate firewall rules to block port 22 for all remote hosts except for the machines you will be logging in from to administer the machine from.

Also, require SSH keys, and generate the key pair on a different box, only your public key should ever be stored on the machine.


Security is layered. If you don't need to listen for ANY ip address, don't.


Personally, I do not listen on port 22 for connections from the internet (or expose SSH via any other port). Management network connections only, if I'm not on the LAN that means VPN session first.

Unless you're running a public access shell server, listening for SSH from anywhere is just an un-necessary risk.
 
I'm home now, so I "fix" my /etc/pf.conf, it now looks like:

Code: 
# macros

ext_if = "vr0"
tcp_pass = "{ 22 53 80 }"
tcp_out = "{ 20 21 22 25 53 80 443 587 }"
bittorrent_port = "6881:6999"
icmp_types = "echoreq"

# options

set block-policy drop
set skip on lo0
scrub in all

# tables

table <sshguard> persist

# rules

block in all
block out all

antispoof log quick for $ext_if
block in log quick on $ext_if proto tcp from <sshguard> to any port ssh label "ssh bruteforce"

pass out on $ext_if proto tcp to port $tcp_out
pass out on $ext_if proto { udp, tcp } to port $bittorrent_port
pass out inet proto icmp all icmp-type $icmp_types

pass in on $ext_if proto tcp to port $tcp_pass

following Kpa post I ordered the rules this way, but the block in/out all lock me completely
 
You should allow outgoing UDP DNS traffic as well.

Code: 
pass out on $ext_if proto udp from $ext_if to any port domain
 
I tend to use fail2ban to block IP addresses after 5 or so incorrect attempts. You could also increase the time between password attempts, won't stop them but will show them down a lot.
 
You must log in or register to reply here.
Back
Top