the new year has brought out a slew of fresh IPs (mostly from Hong Kong, and China) trying to login to my machine (running OS X Yosemite 10.10.1 Server 4.0.3).
...
what are the strategies for combating these attacks? Is the best route to use the /etc/hosts.allow and /etc/hosts.deny files to configure access for sshd?
Thanks for any tips! —michael
The following two strategies will almost completely eliminate ssh attacks on your server:
- Install the pf-based osxfortress configuration. This blackholes thousands and thousands of compromised IPs at the kernel level, as well as blocking hundreds of thousands of domain names at the OS level. Regular updates to the crowd-sourced block lists are automatic.
- Harden your sshd configuration beyond what Apple provides out of the box. Most ssh attacks are kiddie scripts that are unable even to talk with a hardened ssh configuration. My sshd attacks in system logs are filled with entries like this:
May 21 02:42:32 hostname sshd[29704]: fatal: ssh_dispatch_run_fatal: Connection to 58.218.204.215: no matching key exchange method found [preauth]
(Yes, it is easy to confirm that IP 58.218.204.215 <https://duckduckgo.com/?q=58.218.204.215> is a .cn-based brute-forcer).
Search for "secure secure shell" to harden your ssh configuration. Specifically,
- KexAlgorithms in /etc/ssh/sshd_config and /etc/ssh/ssh_config
- Delete weak EC moduli from /etc/ssh/moduli
- Generate strong a ssh_host_ed25519_key and ssh_host_rsa_key
- Disable password authentication
- Disable root authentication
- HostKeyAlgorithms in /etc/ssh/ssh_config
- Ciphers in /etc/ssh/sshd_config and /etc/ssh/ssh_config
- MACs in /etc/ssh/sshd_config and /etc/ssh/ssh_config
This ssh configuration with a pf firewall will drive attacks to nearly nothing. Confirm yourself with this pf rule that tosses ssh attacks into a blackholed brute force table:
# Block brute force attacks
table <bruteforce> persist
block drop log quick from <bruteforce>
# ssh really restrictive
pass in inet proto tcp from any to { lo0 $int_if } port ssh \
keep state (max-src-conn 5, max-src-conn-rate 5/2, \
overload <bruteforce> flush global)
It takes my server weeks to see a single attack show up in my bruteforce table:
sudo pfctl -t bruteforce -Ts