Using sec.pl, brute force SSH attacks can be automatically detected and blocked. This section outlines how to detect the brute force attacks, and update a Packet Filter (PF) firewall. Ensure good hosts cannot be blocked, or that blocks timeout, to prevent legitimate users from being locked out. Use expiretable to expire table entries by age.
Note that attackers may possess massive numbers of systems—usually compromised Microsoft Windows hosts, organized into a huge zombie cloud—available from which to launch brute force SSH attacks. This means they can make SSH or other password authentication attempts never from the same system twice—in other words, a slow brute zombie attack. However, pointless network traffic from attackers who lack a zombie cloud can still be blocked via logscan methods.
Rule to match failed SSH logins, and trigger a block. The thresholds are set very low, as the rules are for a personal system that does not see failed logins. The badhost script is available elsewhere.
pattern=sshd\[\d+\]: Failed password for (?:illegal user )?(.+?) from (\S+)
desc=ssh brute force from $2
action=shellcmd /usr/local/sbin/badhost $2
To run sec.pl, read the above data via a block.conf configuration file:
$ sec.pl --detach --syslog=local0 \
The firewall must define a badhosts table, and block all traffic from (or even to) the addresses in the table. If using quick, place the following block statements near the top of the pf.conf configuration file. I strongly recommend the use of a goodhosts table, so that spoofed queries do not lock out allowed systems.
table <badhosts> persist
block in quick on $ext_if from <badhosts>
block return out quick on $ext_if to <badhosts>