CS & IT Solutions

For a long time I use to see reports of brute force SSH attacks aganist my FreeBSD machines in mailbox every morning. Finnaly I got fed up not that they were even getting close to getting in but just tired of getting these huge reports. So I decided it was time to do something about it. First let me say I run PF (BSD Packet Filter) on all my FreeBSD machines. Its quite easy to setup so I will start there.

1. Rebuild your kernel to enable ALTQ being able to trottle bandwidth is pretty cool (optional)
   1. Create a folder in /root called /kernels
      

      [root@test] [/usr/src/sys/i386/conf]# mkdir /root/kernels

   2. Make a copy of the GENERIC kernerl profile and place it in the /root/kernels directory. Keep in mind that if your running say an AMD64 this directory will be slightly different.

      [root@test] [/usr/src/sys/i386/conf]# cp GENERIC /root/kernels/

   3. Rename the file to something else like GENERIC-PF
      

      [root@test] [/usr/src/sys/i386/conf]# mv /root/kernels/GENERIC /root/kernles/GENERIC-PF

   4. Link the new kernel file to directory where your kernel configuration files exist.

      [root@test] [/usr/src/sys/i386/conf]# ln -s /root/kernels/GENERIC-PF

   5. Open the file in your favorite editor (vi for me)

      [root@test] [/usr/src/sys/i386/conf]# vi GENERIC-PF

      You may want to change the ident so that it reflects the changes you make to the kernel as well.

      ident         GENERIC-PF

      and add the following lines below the last line that starts with option and above the first line that beings with device.
      

      options         ALTQ
      options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
      options         ALTQ_RED        # Random Early Detection (RED)
      options         ALTQ_RIO        # RED In/Out
      options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
      options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
      options         ALTQ_NOPCC      # Required for SMP build
      

   6. Rebuild your kernel
      [root@test] [/usr/src/sys/i386/conf]# cd ../../../
      [root@test] [/usr/src]# make buildkernel KERNCONF=GENERIC-PF
   7. If everything goes right install your new kernel

      [root@test] [/usr/src]# make installkernel KERNCONF=GENERIC-PF

   8. Reboot
2. Enable PF in your /etc/rc.conf by adding the following lines to the end of the file

   pf_enable="YES"
   pflog_enable="YES"
   

3. Edit your /etc/pf.conf to setup some basic rules. Before doing this you should know what kind of network card you have you can find this info by running the command ifconfig. In the box I have at the house I have a VIA NIC so the driver is vr0. this
   1. Edit the entry for ext_if=”eth0″ to contain your NIC driver ext_if=”vr0″. If your going to do ther filtering you will want to setup the ext_addr with your external ip address.
   2. Let pf know your local interface is safe by telling it to skip filtering
      set skip on lo0
   3. Its also not a bad idea to check malformed incoming packets this can be done by adding the line
      scrub in on $ext_if all
   4. Setup a rule to block everything you don’t explicitly want to allow and pass the good stuf
      block in log on $ext_if all
      block out log on $ext_if all
      pass  out on $ext_if inet proto tcp all flags S/SA keep state
      pass  out on $ext_if inet proto udp all keep state
      pass  out on $ext_if inet proto icmp all keep state
      
   5. Enable ssh through the firewall
      pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
   6. Next you will probably want to setup your basic rules if you using any services such has http or ftp.
   7. Add the table used to stop those script kiddies in their tracks.
      # sshd attacks
      table <ssh-violations> persist file “/etc/ssh-violations”
      block drop in from <ssh-violations> to any
4. You should end up with something that looks similar to this.

   ext_if="vr0"
   ext_addr="10.11.12.13"
   
   set skip on lo0
   scrub in on $ext_if all
   
   block in  log on $ext_if all
   block out log on $ext_if all
   
   pass  out on $ext_if inet proto tcp all flags S/SA keep state
   pass  out on $ext_if inet proto udp all keep state
   pass  out on $ext_if inet proto icmp all keep state
   
   #ssh
   pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
   
   #http
   pass  in  on $ext_if proto tcp from any to any port 80 flags S/SA keep state
   
   # sshd attacks
   table <ssh-violations> persist file "/etc/ssh-violations"
   block drop in from <ssh-violations> to any
   
   antispoof for $ext_if

5. Next create a blank ssh-violations file.

   [root@test] [/etc]# touch ssh-violations

6. Enable PF

   [root@test] [/etc]# rc.d/pf start

7. Now that you have PF up and running comes the good part open up your favorite editor and create a file in the /root directory named sshd-fwscan.sh and paste the following.

   #!/bin/sh
   COMMAND="/sbin/pfctl"
   $COMMAND -t ssh-violations -T flush
   for ips in `cat /var/log/auth.log | grep sshd | grep "Illegal" | awk '{print $10}' | uniq -d` ; do
          $COMMAND -t ssh-violations -T add $ips
   done
   for ips in `cat /var/log/auth.log | grep sshd | grep "Invalid" | awk '{print $10}
   ' | uniq -d` ; do
          $COMMAND -t ssh-violations -T add $ips
   done
   cat /var/log/auth.log | grep sshd | grep "Failed" | rev  | cut -d\  -f 4 | rev | sort | uniq -c | \
   ( while read num ips; do
       if [ $num -gt 5 ]; then
            if ! $COMMAND -s rules | grep -q $ips ; then
                   $COMMAND -t ssh-violations -T add $ips
           fi
       fi
     done
   )
   

8. Change the permissions on that file to +x
   

   [root@test] [/root]# chmod +x sshd-fwscan.sh

9. Setup crontab so that the file is run say every 2 minutes.
   */2 * * * *     /root/sshd-fwscan.sh > /dev/null 2>&1

At this point, if you have done everything correctly, it should make be really hard for them to suceessfully a brute force attack SSH since they only have 120 seconds to figure out your password before they get dropped like a bad habit by the firewall.

source here