An attack by ssh, advices wanted!
-
Hi all,
I looked to my firewall this morning and it appears that i've been attacked using a bruteforce dictionary attack.
the log:
Aug 14 02:11:05 sshd[87442]: Failed password for invalid user mail from 218.75.198.35 port 35781 ssh2
Aug 14 02:11:05 sshd[87442]: Invalid user mail from 218.75.198.35
Aug 14 02:10:56 sshd[87438]: Failed password for invalid user lp from 218.75.198.35 port 34829 ssh2
Aug 14 02:10:56 sshd[87438]: Invalid user lp from 218.75.198.35
Aug 14 02:10:51 sshd[87435]: Failed password for news from 218.75.198.35 port 33966 ssh2
Aug 14 02:10:45 sshd[87431]: Failed password for invalid user squid from 218.75.198.35 port 60604 ssh2
Aug 14 02:10:45 sshd[87431]: Invalid user squid from 218.75.198.35
Aug 14 02:10:40 sshd[87428]: Failed password for invalid user ldap from 218.75.198.35 port 59661 ssh2As these days are my first steps with pfsense does anyone has some ideas how to protect myself better?
this was through ssh i've ssh active, http and nothing more is it ok? any advice?
Best Regards,
Tiago Teixeira -
use a long password with uppercase lowercase numbers and special character.
you might consider changeing the SSH port to something else than 22.
also if you access it only from LAN block it from WAN.
if you need access from WAN but only from a certain known location you could add a rule that allow access to it only from the location you need access from. -
Thanks for help.
best regards,
Teixeira -
If you search the forum you might find a post where someone only allowed SSH logins with certificate, not with password.
IIRC it was a selfmade path, not something officially supported.
…
Found the thread: http://forum.pfsense.org/index.php/topic,1741.0.html
-
Hi,
The strike continues over and over again, now from another ip address:
Aug 16 09:35:47 sshd[35103]: Failed password for root from 207.168.54.150 port 52020 ssh2
Aug 16 09:35:45 sshd[35095]: Failed password for root from 207.168.54.150 port 51940 ssh2
Aug 16 09:35:43 sshd[35089]: Failed password for root from 207.168.54.150 port 51867 ssh2
Aug 16 09:35:41 sshd[35083]: Failed password for root from 207.168.54.150 port 51781 ssh2
Aug 16 09:35:39 sshd[35076]: Failed password for root from 207.168.54.150 port 51706 ssh2
Aug 16 09:35:36 sshd[35070]: Failed password for root from 207.168.54.150 port 51621 ssh2
Aug 16 09:35:34 sshd[35063]: Failed password for root from 207.168.54.150 port 51548 ssh2
Aug 16 09:35:32 sshd[35059]: Failed password for root from 207.168.54.150 port 51467 ssh2
Aug 16 09:35:30 sshd[35053]: Failed password for root from 207.168.54.150 port 51396 ssh2
Aug 16 09:35:28 sshd[35046]: Failed password for root from 207.168.54.150 port 51310 ssh2
Aug 16 09:35:26 sshd[35040]: Failed password for root from 207.168.54.150 port 51235 ssh2
Aug 16 09:35:24 sshd[35033]: Failed password for root from 207.168.54.150 port 51156 ssh2
Aug 16 09:35:22 sshd[35027]: Failed password for root from 207.168.54.150 port 51081 ssh2
Aug 16 09:35:20 sshd[35021]: Failed password for root from 207.168.54.150 port 51000 ssh2
Aug 16 09:35:18 sshd[35014]: Failed password for root from 207.168.54.150 port 50929 ssh2
Aug 16 09:35:16 sshd[35008]: Failed password for root from 207.168.54.150 port 50818 ssh2
Aug 16 09:35:14 sshd[35001]: Failed password for root from 207.168.54.150 port 50743 ssh2
Aug 16 09:35:11 sshd[34995]: Failed password for root from 207.168.54.150 port 50661 ssh2
Aug 16 09:35:09 sshd[34988]: Failed password for root from 207.168.54.150 port 50586 ssh2How can i set a specific number of attemps can be used to connect?
Best regards,
Teixeira -
If you don't want to disable user/password logins on SSH as posted above why don't you just switch it off then?
You still have access to the GUI (preferably via HTTPS only) so you can enable it from remote whenever you actually need it.To do so you only have to hit the green symbol in front of the SSH rule and it is disabled (after applying). The symbol will become light green then. Hit it again and it is re-enabled.
Maybe you can also use the SNORT package to ban this IP address but I don't have any experience with it!
-
If you only ssh from a few locations, restrict ssh to those source IPs. You can also play with the advanced options on the rule to limit the amount of connections per x seconds to allow. This drops offenders to one of the built-in block tables, I forget which one right now. They will be blocked until you reboot the firewall.
-
Thanks guys.
I'll follow the steps you described.
Is better prevent…Best regards,
Teixeira
