[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: is there a way to block sshd trolling?

What you could also do is install swatch from ports or packages and have a table in your pf.conf like this:

table <sshdtrolls> persist

and a rule

#stop ssh trolls
block in log quick on $EXT_IF inet proto {tcp,udp} from <sshdtrolls> to $EXT_IF port ssh label "SSHDTrolls"

A swatchrc file of:

watchfor /Failed password for invalid user/
       exec /sbin/pfctl -t sshdtrolls -T add $13
       mail=nick_(_at_)_emailaddress_(_dot_)_com, --subject=woo. we have a troll
       throttle 02:00
       exec echo $13 >> /root/swatchlog

Then run swatch with:

/usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog &

(Note file locations and settings might need to be changed depending on your config)

I also have the AllowUsers and use PubKeyAuthentication and PasswordAuthentication No settings enabled in sshd_config. This means that for a normal login the error "Failed password for invalid user" won't come up as it'll never get that far as it's expecting a key.

If a troll tries to log in, they get one chance before the swatch picks it up and adds it to the block table.