# SSHd - 'no respond' mode and port knocking



## PacketMan (Mar 6, 2017)

I'm curious to know if SSHd can be configured for two pieces of functionality. I read through sshd(8) and sshd_config(5) and I didn't see what I was looking for.

The 'no respond' mode is basically SSHd stops responding to sessions if a number of authentication requests fail. So say after 3 failed attempts SSHd does not respond for 30 minutes for example.

Port knocking is where the incoming SSH client session has to come in for a certain port for a certain number of tries before the real SSH port becomes open.


----------



## trev (Mar 7, 2017)

PacketMan said:


> I'm curious to know if SSHd can be configured for two pieces of functionality. I read through sshd(8) and sshd_config(5) and I didn't see what I was looking for.
> 
> The 'no respond' mode is basically SSHd stops responding to sessions if a number of authentication requests fail. So say after 3 failed attempts SSHd does not respond for 30 minutes for example.




```
Mar  7 13:05:43 shadow sshd[65935]: error: maximum authentication attempts exceeded for invalid user root from 122.241.244.6 port 42181 ssh2 [preauth]
```

As you can see from the above, it certainly supports killing a session if a number of authentication attempts is exceeded.

Not then allowing anyone to access the machine for 30 minutes, or even any lesser time, seems rather inconvenient! Instead, I run a script every five minutes that trawls the log and permanently firewalls the IP address for such miscreants.

You might like to recheck sshd_config() especially for `MaxAuthTries` and `LoginGraceTime`.


----------



## bvansomeren (Mar 7, 2017)

You might want to look at knockd(1) for port knocking (no experience, the manpage refers to using IPTables commands, so yeah.. )
I also second the solution by trev above, FreeBSD is working on a full port of blacklistd(8) which can be used to automatically deny attackers in your firewall.


----------



## PacketMan (Mar 7, 2017)

trev said:


> Not then allowing anyone to access the machine for 30 minutes, or even any lesser time, seems rather inconvenient!
> You might like to recheck sshd_config() especially for `MaxAuthTries` and `LoginGraceTime`.



Security and convenience are at opposite ends of the ruler. As you increase one; you lose from the other. I looked at the grace timer but its not the same outcome.



bvansomeren said:


> You might want to look at knockd(1) ......FreeBSD is working on a full port of blacklistd(8) .......



Well I'll be. Couldn't find that knockd yesterday. I'll check out both, thank you.


----------



## IPTRACE (Mar 7, 2017)

Try to use `MaxStartups 5:15:30` in /etc/ssh/sshd_config.


```
MaxStartups
             Specifies the maximum number of concurrent unauthenticated
             connections to the SSH daemon.  Additional connections will be
             dropped until authentication succeeds or the LoginGraceTime
             expires for a connection.  The default is 10:30:100.

             Alternatively, random early drop can be enabled by specifying the
             three colon separated values “start:rate:full” (e.g. "10:30:60").
             sshd(8) will refuse connection attempts with a probability of
             “rate/100” (30%) if there are currently “start” (10)
             unauthenticated connections.  The probability increases linearly
             and all connection attempts are refused if the number of
             unauthenticated connections reaches “full” (60).
```
Anyway, if you use PF (Packet Filter) you are able to "autoblock" IPs which take too many connections to SSHD port. Like below.


```
table <bruteforce> persist file "/etc/bruteforce.data"
block quick log (all) from <bruteforce>
pass in quick log (all) on re0 tcp from any to 10.10.10.10 port 22 synproxy state (max-src-conn 3, max-src-conn-rate 2/5, overload <bruteforce> flush global
```
Be informed that after restart the PF process clears the bruteforce table data.
So the file /etc/bruteforce.data should be loaded with IPs. You can create cronjob to copy data from pfctl.

`pfctl -t bruteforce -T show > /etc/bruteforce.data`


----------

