tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Options for dealing with sshd brute force attacks



> We all know that public facing ssh servers will get tons of brute
> force attacks.  That's just a fact of life.

> For many machines, running blocklistd helps tremendously.  But what
> happens when blocklistd won't help because npf can't be used?

Until Internet governance is fixed, I see no fix.  My workaround is an
IP blacklist at my subnet's border.  Currently, with a one-week
expiration time, it's cruising at about twenty thousand IPs.

Without knowing why you can't use npf, it's hard to more than guess
whether that's a helpful suggestion for your use case.

Unless you're using a closed-source ssh daemon (which seems unlikely in
view of your mention of OpenSSH), there's always the option of rigging
your ssh daemon to act however you think appropriate.

> One machine has had more than 300,000 attempted logins in the last
> twenty hours.

Goodness, I had no idea the situation was that disastrous.  Apparently
the misbehaviour really is confined to relatively small fractions of
the net, or blocking 20K IPs wouldn't cut the log spam that much.
Unless my corner of the net is less attacked somehow.

Looking at the logs on ftp.rodents-montreal.org, which has
globally-routed IPv4 and IPv6 addresses, I see a low of 12 and a high
of 95 ssh log lines per day since 2024-12-01 - and a small fraction of
those are non-attack log lines.  Looking at the logs for my border
blacklist, which covers my whole /29 (v4) and /60 (v6), from 2024-12-15
through now, I see a min of 32 and a max of 178 IPs blocked per day for
ssh offenses.  (In each case, the numbers do does not include today,
since today's numbers will be only partial.)  Each offending IP
contributes at most one entry to the latter list (or two in some
special cases); this is not quite true of the former, but close.

There are going to be some IPs that would be ssh offenders except they
got border-blocked for some other offense first, so their ssh packets
never made it past my border.  I have no easy way of telling how many
such there are (either packets or IPs).

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Home | Main Index | Thread Index | Old Index