Blocking SSH attacks on OpenBSD
When we have a system directly connected to the internet and with the SSHd running on port 22, brute-force and dictionary attacks are inevitable. Even with a strong password, our authlogs are filled with useless information and the authentication daemon doesn’t stop processing requests from the attacker.
On Linux based servers we have very good tools to avoid this problem, like DenyHosts and Fail2ban, but on OpenBSD we can directly use the PF (PacketFilter) to manage the SSH new connections on the server avoiding this kind of attacks coming from the internet and improving security on the server.
The pf rule I used to manage the connections is very simple and clean, but you can make changes according to your own environment.
pass in on $ext_if proto tcp from any to ($ext_if) port 22 \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload <ssh-blacklist> flush global) block drop in quick on $ext_if from <ssh-blacklist>
First we classify our attackers using the “max-src-conn-rate” , that in this example classify any hosts trying to connect 3 times in a period of 30 seconds. When the attacker is classified, his IP address is written on the ssh-blacklist table, and finally we drop packages coming from the hosts classified.
Well, we don’t need this hosts banned forever so we can use the expiretable program (present on OpenBSD Ports) to manage the registrations on our table and remove the entries after some time blocked. To do this we can simply run expiretable as a daemon:
/usr/local/sbin/expiretable -d -t 3600 ssh-blacklist
Where 3600 means seconds, on the lastest versions the time can be specified using the sulfixes s, h, m and d like “1h30m”.
If you prefer, just add an entry on your crontab to make the checks automatically:
*/5 * * * * /usr/local/sbin/expiretable -t 3600 ssh-blacklist
Thanks to Johan Fredin for the tip!
One Response to “Blocking SSH attacks on OpenBSD”
Leave a Reply
Bloqueando ataques de bruteforce em servidores OpenBSD.
Logo logo libero uma versão traduzida!