# Opened SSHD, people spying..



## JordanTBoehm (Jul 5, 2011)

I opened up SSH for about a day, and now I have a few messages about "failed authentication" requests from foreign IPs. One of them resides in Bangkok! I know they will have trouble gaining access without a key, but should I be scared? ahaha :\


----------



## OH (Jul 5, 2011)

This is normal (sadly).

I block APNIC, LACNIC and AFRINIC on all ports below 1000 by pf() standard. Only a couple of European and American attempts remain currently and now and again there might be a 'surge' of a few days, but I haven't seen one of those in a long time.

Other people will tell you to run sshd on a non-standard port.


----------



## SirDice (Jul 5, 2011)

Use something like security/sshguard-pf.

Brute force attacks are a fact of life these days.


----------



## JordanTBoehm (Jul 5, 2011)

Thanks for the advice! I don't know how to pf, but FreeBSD has the best documentation I have ever seen, I'll learn.


----------



## JordanTBoehm (Jul 5, 2011)

Is security/sshguard-pf an easier way to do what he just explained?


----------



## SirDice (Jul 5, 2011)

Sshguard simply looks at the logins. It'll block an IP address when there have been 4 failed attempts within a few minutes time. The block will last about an hour and will be automatically lifted again.

Easy to setup, nothing much to configure, works like a charm.


----------



## JordanTBoehm (Jul 5, 2011)

Makes perfect sense!


----------



## Nukama (Jul 5, 2011)

Another layer of security could be cocooned with security/fwknop from www.cipherdyne.org around your sshd.


----------



## jem (Jul 5, 2011)

OH said:
			
		

> Other people will tell you to run sshd on a non-standard port.



This is what I do.  It's the quickest and simplest way to quieten my logs.


----------



## gordon@ (Jul 6, 2011)

If you are using pf(4), you can just use the following rules (which are running on my server):


```
block quick from <bad_hosts>

# Allow ssh connections globally, but rate limited
pass in quick proto tcp from any to any port 22 keep state\
        (max-src-conn-rate 3/180, overload <bad_hosts> flush global)
```

The magic is in the max-src-conn-rate bit. I limit 3 connection attempts in 3 minutes. If more than that come in, it'll add the IP to the bad_hosts list and nuke any of their existing connections. No separate port installation needed. See pf.conf(5) for more information.


----------



## JordanTBoehm (Jul 6, 2011)

That seems like the best way to secure my machine. Thanks Gordon! As I learn more it seems nothing can beat the default BSD programs and features. vi is unnatural, but it won't leave my screen full of weird bugs as with ee. Aha, but SSH sure beats telnet!


----------



## OH (Jul 6, 2011)

gordon@ said:
			
		

> If you are using pf(4), you can just use the following rules (which are running on my server):
> 
> 
> ```
> ...



I use this too, but I also see that the crackers/scriptkiddies anticipate this and space their attempts accordingly. Having another program looking at the logfile (which I don't do) does improve on the security.


----------



## graudeejs (Jul 6, 2011)

For my home PC, and for my server (servers root IP) I only allow to connect from IPs that originate from my country (with help of pf or ipfw).

Check for your NIC, if it has a list of IP blocks of your country for download.


----------



## gordon@ (Jul 7, 2011)

OH said:
			
		

> I use this too, but I also see that the crackers/scriptkiddies anticipate this and space their attempts accordingly. Having another program looking at the logfile (which I don't do) does improve on the security.



I've only once seen a host slow down enough to not hit the 3 in 3 minute rule. 99+% of the time, they hit the 3 connection attempts in 3 seconds.


----------



## SirDice (Jul 7, 2011)

Yeah, most of my attackers are picked up by sshguard too. Unfortunately, some of the bastards (for lack of a better word) have resorted to distributed attacks. Meaning the brute force will come from all directions. Each host will only try one or two before moving on but you'll get dozens of different hosts attacking you at once. 

Nothing much you can do about it. Just sit out the ride and make sure all your accounts are properly setup with proper passwords.


----------



## graudeejs (Jul 7, 2011)

SirDice said:
			
		

> Nothing much you can do about it. Just sit out the ride and make sure all your accounts are properly setup with proper passwords.



You mean SSH keys


----------



## SirDice (Jul 7, 2011)

Proper passwords will suffice. They'll only try easily guessed usernames and accounts. Granted, keys would be better but I don't always have my keys with me


----------

