Automatically blocking brute-force attacks on your FreeBSD server

Aug 1st, 2011 | By | Category: Internet, Linux / Freebsd

I was going through my auth.log today and noticed that a simple brute-force attack was underway.  a few hundred attacks from IP’s originating out of HANKUK UNIVERSITY OF FOREIGN STUDIES in Korea(220.67.126.35), Sun Network in China(121.127.231.251) and finally from Vodaphone in Italy(2.40.63.99).  I’m not concerned about them actually breaking through as there are no open accounts or guessable passwords anywhere on my system however they are causing a bit of overhead on my server with 60-80 login attempts.

So I went googling around to find a good way to monitor login activity and ban IP’s for people who have more than 7 failed logins.  I should note here that the best bet would be to have an IP whitelist that only allows ssh connections from specified IP’s but I’m jumping all over the place so often that that’s a bit of a pain in the ass, which leads me to the following solution found herE:

http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins

 

First thing to do is setup some precautionary measures with sshd:

Limiting SSH login sessions

In your sshd_config file the following settings can also help slow down such attacks.

  • LoginGraceTime
The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds.
  • MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the sshd daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10. Alternatively, random early drop can be enabled by specifying the three colon separated values “start:rate:full” (e.g.,”10:30:60″). sshd will refuse connection attempts with a probability of “rate/100” (30%) if there are currently “start” (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches “full”

Next you want to make sure your log files are up to snuff and then setup a real basic script that scans those files(via a cron) and blocks IP’s based on the results.  I find IPFW invaluable for the work I do, so that’s the route I’m going but if you use PF or IPF there are instructions in the link above for them.

/etc/syslog.conf

You need an auth.* line in your syslog.conf file in order to log all authentications.

auth.*                                          /var/log/auth.log

Using IPFW

Create sshd-fwscan.sh and put it somewhere handy like /usr/local/sbin/

#!/bin/sh
if ipfw show | awk '{print $1}' | grep -q 20000 ; then
        ipfw delete 20000
fi
# This catches repeated attempts for both legal and illegal users
# No check for duplicate entries is performed, since the rule
# has been deleted.
awk '/sshd/ && (/Invalid user/ || /authentication error/) {try[$(NF)]++}
END {for (h in try) if (try[h] > 5) print h}' /var/log/auth.log |
while read ip
do
        ipfw -q add 20000 deny tcp from $ip to any in
done

Note: To make sure IP’s expire we delete and add rule 20000 of the firewall each time, thus if the IP’s are no longer duplicates in the auth.log they are no longer firewalled.

 

That’s that, I just ran the script as a test and viola, I’ve got 3 new rules in IPFW blocking those IP’s.. hoorah! 🙂

Tags: , , , , , , , , , , ,

Leave a Comment