Block ssh bruteforce attempts

Most people with a box on public IP, and with a sshd listening on port 22, notices a lot of bruteforce attempts. These attempts are filling up logs, and are a pure annoyance. Here's how I "solved" it..

In OpenBSD 3.7, pf got a really nice feature called max-src-conn-rate, which specifies how quickly new connections can be made. Connecting hosts exceeding this limit can be put into a table, and all states including that hosts IP address, can also be flushed.

When I have the offending IPs in a table, it can easily be blocked early on in our ruleset. But since I don't want to block a host forever, or even until the next reboot, I'm gonna use a small utility to clean out this table once in a while.

Let's start with the magic pf rule:

# special rule for ssh
pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
	flags S/SA keep state \
	(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)

The keyword here is ofcourse "max-src-conn-rate". The arguments tell pf to put every IP exceeding a connection rate of more than 3 connections in every 30 seconds, in a table called "ssh-bruteforce". How often do valid users connect to ssh that often? Ofcourse you can set this to 6/60 or something more apropriate for your environment. Last but not least pf kills all states originating from the bad host.

To keep the bad boys out, I add a block rule early on in my ruleset:

# block the ssh bruteforce bastards
block drop in quick on $ext_if from <ssh-bruteforce>

Great, now the table are getting populated with bad hosts, and they're getting blocked. But as I said earlier, I don't want to block them forever. This is were expiretable comes in handy. This utility, written by Henrik Gustafsson, takes a look at a table, and removes ("expires") entires older then the specified amount of time.

It's in ports (sysutils/expiretable), but was commited after 3.8 was tagged, so you'll have to go -current, or compile/install it by hand. Then add this to roots crontab:

*/5   *   *   *   *   /usr/local/sbin/expiretable -t 3600 ssh-bruteforce

Every five minutes, I expire entries older than one hour.

This is how I get rid of thousands of login attempts filling my logs.