by kkikta
25. January 2008 06:52
For a long time I use to see reports of brute force SSH attacks aganist my FreeBSD machines in mailbox every morning. Finnaly I got fed up not that they were even getting close to getting in but just tired of getting these huge reports. So I decided it was time to do something about it. First let me say I run PF (BSD Packet Filter) on all my FreeBSD machines. Its quite easy to setup so I will start there.
- Rebuild your kernel to enable ALTQ being able to trottle bandwidth is pretty cool (optional)
- Create a folder in /root called /kernels
[root@test] [/usr/src/sys/i386/conf]# mkdir /root/kernels
- Make a copy of the GENERIC kernerl profile and place it in the /root/kernels directory. Keep in mind that if your running say an AMD64 this directory will be slightly different.
[root@test] [/usr/src/sys/i386/conf]# cp GENERIC /root/kernels/
- Rename the file to something else like GENERIC-PF
[root@test] [/usr/src/sys/i386/conf]# mv /root/kernels/GENERIC /root/kernles/GENERIC-PF
- Link the new kernel file to directory where your kernel configuration files exist.
[root@test] [/usr/src/sys/i386/conf]# ln -s /root/kernels/GENERIC-PF
- Open the file in your favorite editor (vi for me)
[root@test] [/usr/src/sys/i386/conf]# vi GENERIC-PF
You may want to change the ident so that it reflects the changes you make to the kernel as well.
ident GENERIC-PF
and add the following lines below the last line that starts with option and above the first line that beings with device.
options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
options ALTQ_NOPCC # Required for SMP build
- Rebuild your kernel
[root@test] [/usr/src/sys/i386/conf]# cd ../../../
[root@test] [/usr/src]# make buildkernel KERNCONF=GENERIC-PF
- If everything goes right install your new kernel
[root@test] [/usr/src]# make installkernel KERNCONF=GENERIC-PF
- Reboot
- Enable PF in your /etc/rc.conf by adding the following lines to the end of the file
pf_enable="YES"
pflog_enable="YES"
- Edit your /etc/pf.conf to setup some basic rules. Before doing this you should know what kind of network card you have you can find this info by running the command ifconfig. In the box I have at the house I have a VIA NIC so the driver is vr0. this
- Edit the entry for ext_if="eth0" to contain your NIC driver ext_if="vr0". If your going to do ther filtering you will want to setup the ext_addr with your external ip address.
- Let pf know your local interface is safe by telling it to skip filtering
set skip on lo0 - Its also not a bad idea to check malformed incoming packets this can be done by adding the line
scrub in on $ext_if all - Setup a rule to block everything you don't explicitly want to allow and pass the good stuf
block in log on $ext_if all
block out log on $ext_if all
pass out on $ext_if inet proto tcp all flags S/SA keep state
pass out on $ext_if inet proto udp all keep state
pass out on $ext_if inet proto icmp all keep state
- Enable ssh through the firewall
pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
- Next you will probably want to setup your basic rules if you using any services such has http or ftp.
- Add the table used to stop those script kiddies in their tracks.
# sshd attacks
table <ssh-violations> persist file "/etc/ssh-violations"
block drop in from <ssh-violations> to any
- You should end up with something that looks similar to this.
ext_if="vr0"
ext_addr="10.11.12.13"
set skip on lo0
scrub in on $ext_if all
block in log on $ext_if all
block out log on $ext_if all
pass out on $ext_if inet proto tcp all flags S/SA keep state
pass out on $ext_if inet proto udp all keep state
pass out on $ext_if inet proto icmp all keep state
#ssh
pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
#http
pass in on $ext_if proto tcp from any to any port 80 flags S/SA keep state
# sshd attacks
table <ssh-violations> persist file "/etc/ssh-violations"
block drop in from <ssh-violations> to any
antispoof for $ext_if
- Next create a blank ssh-violations file.
[root@test] [/etc]# touch ssh-violations
- Enable PF
[root@test] [/etc]# rc.d/pf start
- Now that you have PF up and running comes the good part open up your favorite editor and create a file in the /root directory named sshd-fwscan.sh and paste the following.
#!/bin/sh
COMMAND="/sbin/pfctl"
$COMMAND -t ssh-violations -T flush
for ips in `cat /var/log/auth.log | grep sshd | grep "Illegal" | awk '{print $10}' | uniq -d` ; do
$COMMAND -t ssh-violations -T add $ips
done
for ips in `cat /var/log/auth.log | grep sshd | grep "Invalid" | awk '{print $10}
' | uniq -d` ; do
$COMMAND -t ssh-violations -T add $ips
done
cat /var/log/auth.log | grep sshd | grep "Failed" | rev | cut -d\ -f 4 | rev | sort | uniq -c | \
( while read num ips; do
if [ $num -gt 5 ]; then
if ! $COMMAND -s rules | grep -q $ips ; then
$COMMAND -t ssh-violations -T add $ips
fi
fi
done
)
- Change the permissions on that file to +x
[root@test] [/root]# chmod +x sshd-fwscan.sh
Setup crontab so that the file is run say every 2 minutes.
*/2 * * * * /root/sshd-fwscan.sh > /dev/null 2>&1
At this point, if you have done everything correctly, it should make be really hard for them to suceessfully a brute force attack SSH since they only have 120 seconds to figure out your password before they get dropped like a bad habit by the firewall.
0a10a50b-1c1c-4042-86fe-03020b788316|0|.0
Tags:
FreeBSD