NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: help? fighting ssh user/password guessing attempts

Well, if someone interested in, i have custom created 'php script' run by a cron job and scans auth.log and then creates firewall rule if it detects brute force attacks and/or certain number of incorrect authentiacations. It clears all rules occasionally. It may scan other ports as well, such as pop, smtp, ftp.

It is for FreeBSD (server) and may be adopted to NetBSD easily. If people think it is usefull, i can maintain it...

PS: I also have rules to block certain IP ranges, such as whole Africa region, Latin America and Asia region... I can give those IPs too.


Ingbert Meyer, 10/16/08 12:36:
Volkmar Seifert wrote:
Out of curiosity I'd like to come back to my initial question above: Does anybody have experience or further reading about NetBSD firewall and the PAM system? Installing the PAM-af package was easy, but it's obviously not
working. How do I start it? I assume the relevant files are located in
/etc/pam.d/, but I'm reluctant to change the anything without deper
understanding - for fear that my attempt to fix a problem may open a
security hole.

You should be aware that you need to enable the usage of PAM within the
/etc/ssh/sshd_config (UsePAM yes|no). Sadly, the man-pages of SSH in
NetBSD do not mention this.
Here is an excerpt of a SSH-manpage I have from another system:



Enables the Pluggable Authentication Module interface. If set to ``yes'' this will enable PAM authentication using ChallengeResponseAuthentication
and PAM account and session module processing for all authentication

Because PAM challenge-response authentication usually serves an equivalent
role to password authentication, you should disable either
PasswordAuthentication or ChallengeResponseAuthentication.

If UsePAM is enabled, you will not be able to run sshd(8) as a non-root
user.  The default is ``no''.


PAM is automatically installed with NetBSD nowadays, so all you -should-
need to do is to enable it within the sshd_config, and may be edit the
/etc/pam.d/sshd-file appropriately.

How pam-af is brought to work, I cannot say. I have no experiences with
it, since I have never used it. All I can say is, it needs to be inserted
into /etc/pam.d/sshd, probably with a line like this one:

auth            required         pam_af    no_warn

How it can be told whether to call pf, ipf or whatever
packetfilter-cli-tool to use, I cannot say.

Information about pam-af seems a bit thin.

I hope this was helpful in regard of your original question.

(denyhosts looks a bit easier to me, since you neither need a packetfilter nor pam, and /etc/hosts.deny and tcpwrappers exists on your system anyway,
and transparently so.)

- Volkmar

Besides enabling pam_authentication in sshd_conf, you have to give 'pam_af' some rules about what to do: read the 'pam_af_tool' man page.

I use it for about half a year now an it seems to work quite reliably, according to the list
of blocked hosts.


Home | Main Index | Thread Index | Old Index