# ss.h.i.t alternatives || other brute force blockers?



## dave (Nov 20, 2008)

I have used security/ss(h)(i)(t) to block IPs that make attacks on SSH in the past.  I notice that it really doesnt work very well on 7 because auth.log lists hostnames now instead of just IPs.

The forum profanity blocker does not allow the port name, but you will see it in the link below...

See: http://www.freebsd.org/cgi/query-pr.cgi?pr=115210

Are there any good alternatives?

Other suggestions are welcome.

Thanks!


----------



## lme@ (Nov 20, 2008)

dave said:
			
		

> Are there any good alternatives?



Yes, using public key authentication. Blocking IP addresses automatically is very dangerous.


----------



## antik (Nov 20, 2008)

dave said:
			
		

> Other suggestions are welcome.
> 
> Thanks!



I am using *security/denyhosts* for couple of years already and it just works. Usually I configure it to forget blocked IP-addresses after 20minutes- in case you block yourself out of your box.


----------



## SirDice (Nov 20, 2008)

security/sshguard works with IP Filter, PF and IPFW.

http://www.freshports.org/search.ph...leted&start=1&casesensitivity=caseinsensitive


----------



## dave (Nov 20, 2008)

Thanks for suggestions.  My particular requirements make it such that I can block IPs without worry, but I still like to use a system that will only block for a while.  Thanks for the suggestions.  I will check them out.


----------



## chrcol (Nov 21, 2008)

if you utilise a auto blocking system I would only do so on ssh if it has a whitelist feature for own ip address.


----------



## harisman (Nov 23, 2008)

@chrcol
You can use denyhosts to block the attackers through firewall as well as antik already said.
This can be done by writing custom denyhosts plugins and whitelisting the valid ones.
You can see below my configuration using pf:

/usr/local/share/denyhosts/plugins/pf_deny.sh
#!/bin/sh
/sbin/pfctl -t badhosts -Tadd $1

/usr/local/share/denyhosts/plugins/pf_purge.sh
#!/bin/sh
/sbin/pfctl -t badhosts -Tdel $1

/etc/pf.conf
.
.
table <badhosts> persist file "/etc/hosts.evil"
block drop in quick log on $ext_if from <badhosts> to any
.
.

/usr/local/etc/denyhosts.cfg
.
.
HOSTS_DENY = /etc/hosts.evil
PLUGIN_DENY=/usr/local/share/denyhosts/plugins/pf_deny.sh
PLUGIN_PURGE=/usr/local/share/denyhosts/plugins/pf_purge.sh
ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES
.
.


/usr/local/share/denyhosts/data/allowed-hosts
localhost
127.0.0.1
192.168.34.100



/etc/hosts.allow
.
.
ALL : /etc/hosts.evil : deny


----------



## danger@ (Nov 23, 2008)

you may find my tool usefull, it supports also whitelisting features -- it's under security/bruteforceblocker


----------



## myst (Nov 24, 2008)

dave said:
			
		

> Are there any good alternatives?
> 
> Other suggestions are welcome.
> 
> Thanks!


Try to use port knocking:
"Port knocking is a stealthy network authentication system that uses closed ports to carry out identification of trusted users."
http://www.portknocking.org
imho very good alternative to ipblacklistning.


----------



## SirDice (Nov 24, 2008)

chrcol said:
			
		

> if you utilise a auto blocking system I would only do so on ssh if it has a whitelist feature for own ip address.



sshguard only blocks for an hour (configurable). So if you manage to type your own password wrongly 5 times in 2 minutes you're blocked but the blockade is automatically removed after 60 minutes. It stops all those damned bruteforcers except a few braindead ones. Those end up getting added permanently by yours truly.


----------



## chrcol (Nov 24, 2008)

thanks guys I will look into sshguard as a friend on irc has also reccomended it to me.


----------



## cajunman4life (Nov 29, 2008)

I too use denyhosts, and you are able to configure blocking. For example, if someone from IP x.x.x.x attempts to log in using an invalid name (which is 99.7% of the failed login attempts my box gets) it is blocked for good. If IP y.y.y.y attempts to log in with a valid name, it is blocked for 15 minutes (in case you type your password wrong 3 times on a monday morning after a holiday weekend). Root logins are blocked forever (as root login is not allowed remotely on my box).


----------



## dave (Nov 29, 2008)

I have loaded up denyhosts and it seems great.  Easy setup, and very effective.


----------

