From owner-freebsd-questions@FreeBSD.ORG Sun Mar 21 01:27:45 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 27F6F1065670 for ; Sun, 21 Mar 2010 01:27:45 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213]) by mx1.freebsd.org (Postfix) with ESMTP id D57CD8FC0A for ; Sun, 21 Mar 2010 01:27:44 +0000 (UTC) Received: (qmail 27359 invoked by uid 89); 21 Mar 2010 01:27:44 -0000 Received: from poshta.pknet.net (HELO pop.pknet.net) (216.241.167.213) by poshta.pknet.net with SMTP; 21 Mar 2010 01:27:44 -0000 Received: from 216.241.170.11 (SquirrelMail authenticated user fbsdq@peterk.org) by pop.pknet.net with HTTP; Sat, 20 Mar 2010 19:27:44 -0600 Message-ID: <45c7a5dcf32819443b68c881ddde9135.squirrel@pop.pknet.net> In-Reply-To: <87wrx69b1l.fsf@upnet.gr> References: <201003201318.o2KDIcIt001241@fix.fantomatic.co.uk> <87wrx69b1l.fsf@upnet.gr> Date: Sat, 20 Mar 2010 19:27:44 -0600 From: "Peter" To: "Leonidas Tsampros" User-Agent: SquirrelMail/1.4.20-RC2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: Jamie Griffin , freebsd-questions@freebsd.org Subject: Re: securing sshd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Mar 2010 01:27:45 -0000 > Jamie Griffin writes: > >> Hello >> >> I've been reading up on securing sshd after being bombarded with >> attempted logins. >> >> The steps i've taken so far to make things more secure are: >> >> * changed the encryption method for passwords in /etc/login.conf from >> md5 to blowfish and changed all the passwords to ridiculously obscure >> ones (at least as obscure as I could think of). >> >> * changed /etc/ttys secure entries to insecure to prevent root logins on >> the console >> >> (the above are not really sshd specific i know.) >> >> * Disabled root login by ssh in /etc/ssh/sshd_config >> >> * Set myself as the only user able to login by ssh >> >> * Disabled password logins completely, and to only allow public key >> authentication >> >> * Changed the default ssh port from 22 to something much higher >> >> I'm the only user that will ever need to log into the machine. I >> wondered, does this setup seem ok and are there any other methods used >> by anyone on list that might help me to secure remote logins even >> further? > > Hi, > > I'm using the following pf snippet in order to "protect" myself and my > system's logs against brute force attemps on sshd: > > # > # Block them all > # > block log quick from > > # > # connection rate the incoming ssh connections and fill the bruteforce > # table > # > pass in log inet proto tcp from any to any port = 22 \ > flags S/SA keep state \ > (max-src-conn 10, max-src-conn-rate 5/4, \ > overload flush global) > > For more information on how this works, take a look at pf.conf(5). > > I don't know if it's complete (or even good practice), but a) I think it > works for me and b) it does not depend on a port-provided solution. > >> Thanks for any help. >> >> Jamie On the same line, portknocking with pf: . .. ... # Table for allowed IPs # [gets auto populated via portknocking] table persist . .. ... block #default block policy # Allow everyone to hit 'any' on port '1234' - pf proxies tcp connection # [if not using 'synproxy', the connection is never established to # 'overload' the rule] # 5 attempts in 15 seconds pass in log quick proto tcp from any to any port {1234} synproxy state \ (max-src-conn-rate 5/15, overload ) #Allow IPs that have been 'overload'ed into the portknock_ssh table pass in log quick proto tcp from {} to any port {ssh} . .. ... Although ssh is blocked from all except some trusted IPs, you can still always have access, just have to knock first. ]Peter[ Then put a crontab on a per needed basis to expire all IPs in that table that have not been referenced in 60 seconds: * * * * * /sbin/pfctl -vt portknock_ssh -T expire 60 All established sessions will be kept alive, all new sessions will need to portknock after the IP is cleared from table