Brute Force - can't find how to enable this for SSH

Murus
Post Reply
Elvin
Posts: 5
Joined: Sun Mar 20, 2016 9:23 am

Brute Force - can't find how to enable this for SSH

Post by Elvin » Sun Mar 20, 2016 9:34 am

Hi,

Here is my situation. I have a server (actually OS X 10.9.5 client running a propriety application).
The company that supports this application required ssh access. I'm seeing ongoing brute force root login attempts (root is disabled).
I've installed and configured MurusFirewall Pro but can't see where Brute Force protection is enabled and the login attempts never seem to be blocked.
I've looked everywhere and can't find how to enable/check this feature.

I'm running newly registered v1.3.6

Any help greatly appreciated.

Elvin.

hany
Posts: 484
Joined: Wed Dec 10, 2014 5:20 pm

Re: Brute Force - can't find how to enable this for SSH

Post by hany » Sun Mar 20, 2016 1:40 pm

Hello Elvin,

- on your Mac, starting from Murus default configuration, simply drag SSH service from the library to inbound services
- select SSH service in inbound and click the SSH's magnifier icon to open SSH inbound rules popover view, click the big gear button to reveal options then check the brute force adaptive option, use max connections = 2
- click play in the toolbar to start pf

This ruleset will allow a maximum of 6 login attempts (3 * max connections) from remote ssh clients to your ssh server. The seventh attempt will trigger the brute force protection system and block the remote IP address. You can manage these blocked addresses in Murus Proactivity window.
I hope it helped :)

Elvin
Posts: 5
Joined: Sun Mar 20, 2016 9:23 am

Re: Brute Force - can't find how to enable this for SSH

Post by Elvin » Sun Mar 20, 2016 3:13 pm

Hi Hany,

Thanks for the excellent response. Not sure how I missed doing what you've suggested but there it is.
I'll give this a go ASAP.

Kind regards,

Elvin.

Elvin
Posts: 5
Joined: Sun Mar 20, 2016 9:23 am

Re: Brute Force - can't find how to enable this for SSH

Post by Elvin » Wed Mar 23, 2016 2:18 pm

Hi Hany,

All I really want to do is to stop the ssh brute force attacked by auto-blocking IPs
All other ports appear to be okay.
Every choice I make ends up locking me out of the Mac via VPN/Apple Remote Desktop. I'm obviously missing something basic here.
Please help me to do this simple thing.

Kind regards,

Elvin.

hany
Posts: 484
Joined: Wed Dec 10, 2014 5:20 pm

Re: Brute Force - can't find how to enable this for SSH

Post by hany » Thu Mar 24, 2016 10:37 pm

Every choice I make ends up locking me out of the Mac via VPN/Apple Remote Desktop
did you enable brute force protection for these services too? If yes, then disable it. Brute force cannot be enabled for all services, specially kerberos-based services like afp, smb, ard/vnc and others.
Please enable the brute force option only for SSH service, and place your SSH service at the end of your inbound managed services list.
Let me know

den555
Posts: 8
Joined: Wed Jun 10, 2015 6:39 am

Re: Brute Force - can't find how to enable this for SSH

Post by den555 » Sun Mar 27, 2016 3:24 am

Hany, tell me, please, will bruteforce defence work for VPN L2TP?

Thanks. Denis.

Elvin
Posts: 5
Joined: Sun Mar 20, 2016 9:23 am

Re: Brute Force - can't find how to enable this for SSH

Post by Elvin » Thu Apr 07, 2016 1:55 am

Hi Hany,

I'll have another look when I'm onsite as I can't afford to be locked out via remote again.
Will report back once I've tried.

Elvin.

hany
Posts: 484
Joined: Wed Dec 10, 2014 5:20 pm

Re: Brute Force - can't find how to enable this for SSH

Post by hany » Thu Apr 07, 2016 1:57 pm

den555, I'm afraid it won't work for VPN L2TP, I'm sorry. However vpn daemon logs every login attempt (I think so). It may be possible to code a bash script (or a swift script) to reads this log and puts offending IP addresses into one of those hardcoded Murus PF tables that are blocked by default (like _threats or _blacklist). This is the same idea behind fail2ban and other log-based adaptive filters.

Post Reply