SSH Brute Force Countermeasure

Stop annoying hosts trying to brute force login via ssh.

Problem Description

On my router as well on my server the auth log (/var/log/authlog) is annoyingly filling up with failed password attempts from a number of hosts trying to brute force passwords for random user names.

While these attempts are harmless, the log is filled with garbage and even worse, my Soekris router does not have that much CPU power to handle the crypto involved in an attempt to login via SSH causing a considerable load on the system.

In the past the way to counter this was to let pf add the IP of the offending host to a blacklist table if more than n connections in a certain time span were recognized. Unfortunately the operators of the botnet's trying to brute force have learned and the hosts usually try one username and then attempt it on the next IP address.

The code can be found here: https://git.markus-hennecke.de/markus/ssh-sentryd.git

Bits to Add to pf.conf

The following snippet from pf.conf blocks any network connection from the hosts in the table <blacklist>. I put it right in front of the default block rule.

Specifying the file enables us to dump the tables contents into the file and have the list available after reboots.

table <blacklist> persist file "/etc/pf.blacklist"
block in quick from <blacklist> to any

Setting Up /etc/syslog.conf

Now we don't won't to clobber the system log with those fruitless attempts to log in, but to be able to trace when and why a certain IP address was added to the <blacklist> table would be nice.

Add this to /etc/syslog.conf right at the top. Remember to create the given log file before reloading the syslogd configuration:

!!ssh-sentry
daemon.*        /var/log/ssh-sentry
!*

Log Rotate

Add a line to /etc/newsyslog.conf to rotate logs:

/var/log/ssh-sentry     640 3    300  *     Z

TODO

Unordered list of possible improvements for the future: