[安全] Block ssh bruteforce attempts

[安全] Block ssh bruteforce attempts ssh, Block, attempts, bruteforceBlock ssh bruteforce attempts

Most people with a box on public IP, and with a sshd listening on port 22, notices a lot of bruteforce attempts. These attempts are filling up logs, and are a pure annoyance. Here's how I "solved" it..

In OpenBSD 3.7, pf got a really nice feature called max-src-conn-rate, which specifies how quickly new connections can be made. Connecting hosts exceeding this limit can be put into a table, and all states including that hosts IP address, can also be flushed.

When I have the offending IPs in a table, it can easily be blocked early on in our ruleset. But since I don't want to block a host forever, or even until the next reboot, I'm gonna use a small utility to clean out this table once in a while.

Let's start with the magic pf rule:
  1. # special rule for ssh
  2. pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
  3. flags S/SA keep state \
  4. (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
复制代码The keyword here is ofcourse "max-src-conn-rate". The arguments tell pf to put every IP exceeding a connection rate of more than 3 connections in every 30 seconds, in a table called "ssh-bruteforce". How often do valid users connect to ssh that often? Ofcourse you can set this to 6/60 or something more apropriate for your environment. Last but not least pf kills all states originating from the bad host.

To keep the bad boys out, I add a block rule early on in my ruleset:

# block the ssh bruteforce bastards
  1. block drop in quick on $ext_if from <ssh-bruteforce>
复制代码Great, now the table are getting populated with bad hosts, and they're getting blocked. But as I said earlier, I don't want to block them forever. This is were expiretable comes in handy. This utility, written by Henrik Gustafsson, takes a look at a table, and removes ("expires") entires older then the specified amount of time.

It's in ports (sysutils/expiretable), but was commited after 3.8 was tagged, so you'll have to go -current, or compile/install it by hand. Then add this to roots crontab:
  1. */5 * * * * /usr/local/sbin/expiretable -t 3600 ssh-bruteforce
复制代码Every five minutes, I expire entries older than one hour.

This is how I get rid of thousands of login attempts filling my logs.


http://johan.fredin.info/openbsd/block_ssh_bruteforce.html

你可能感兴趣的:(#bsd防火墙)