SSHd - 'no respond' mode and port knocking

I'm curious to know if SSHd can be configured for two pieces of functionality. I read through sshd(8) and sshd_config(5) and I didn't see what I was looking for.

The 'no respond' mode is basically SSHd stops responding to sessions if a number of authentication requests fail. So say after 3 failed attempts SSHd does not respond for 30 minutes for example.

Port knocking is where the incoming SSH client session has to come in for a certain port for a certain number of tries before the real SSH port becomes open.
 
I'm curious to know if SSHd can be configured for two pieces of functionality. I read through sshd(8) and sshd_config(5) and I didn't see what I was looking for.

The 'no respond' mode is basically SSHd stops responding to sessions if a number of authentication requests fail. So say after 3 failed attempts SSHd does not respond for 30 minutes for example.

Code:
Mar  7 13:05:43 shadow sshd[65935]: error: maximum authentication attempts exceeded for invalid user root from 122.241.244.6 port 42181 ssh2 [preauth]

As you can see from the above, it certainly supports killing a session if a number of authentication attempts is exceeded.

Not then allowing anyone to access the machine for 30 minutes, or even any lesser time, seems rather inconvenient! Instead, I run a script every five minutes that trawls the log and permanently firewalls the IP address for such miscreants.

You might like to recheck sshd_config() especially for MaxAuthTries and LoginGraceTime.
 
You might want to look at knockd(1) for port knocking (no experience, the manpage refers to using IPTables commands, so yeah.. )
I also second the solution by trev above, FreeBSD is working on a full port of blacklistd(8) which can be used to automatically deny attackers in your firewall.
 
Not then allowing anyone to access the machine for 30 minutes, or even any lesser time, seems rather inconvenient!
You might like to recheck sshd_config() especially for MaxAuthTries and LoginGraceTime.

Security and convenience are at opposite ends of the ruler. As you increase one; you lose from the other. I looked at the grace timer but its not the same outcome.

You might want to look at knockd(1) ......FreeBSD is working on a full port of blacklistd(8) .......

Well I'll be. Couldn't find that knockd yesterday. I'll check out both, thank you.
 
Try to use MaxStartups 5:15:30 in /etc/ssh/sshd_config.

Code:
     MaxStartups
             Specifies the maximum number of concurrent unauthenticated
             connections to the SSH daemon.  Additional connections will be
             dropped until authentication succeeds or the LoginGraceTime
             expires for a connection.  The default is 10:30:100.

             Alternatively, random early drop can be enabled by specifying the
             three colon separated values “start:rate:full” (e.g. "10:30:60").
             sshd(8) will refuse connection attempts with a probability of
             “rate/100” (30%) if there are currently “start” (10)
             unauthenticated connections.  The probability increases linearly
             and all connection attempts are refused if the number of
             unauthenticated connections reaches “full” (60).
Anyway, if you use PF (Packet Filter) you are able to "autoblock" IPs which take too many connections to SSHD port. Like below.

Code:
table <bruteforce> persist file "/etc/bruteforce.data"
block quick log (all) from <bruteforce>
pass in quick log (all) on re0 tcp from any to 10.10.10.10 port 22 synproxy state (max-src-conn 3, max-src-conn-rate 2/5, overload <bruteforce> flush global
Be informed that after restart the PF process clears the bruteforce table data.
So the file /etc/bruteforce.data should be loaded with IPs. You can create cronjob to copy data from pfctl.

pfctl -t bruteforce -T show > /etc/bruteforce.data
 
Back
Top