From owner-freebsd-questions@FreeBSD.ORG Fri Mar 5 19:09:25 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5E14106566B for ; Fri, 5 Mar 2010 19:09:25 +0000 (UTC) (envelope-from dino_vliet@yahoo.com) Received: from web51101.mail.re2.yahoo.com (web51101.mail.re2.yahoo.com [206.190.38.143]) by mx1.freebsd.org (Postfix) with SMTP id 81BFC8FC1C for ; Fri, 5 Mar 2010 19:09:25 +0000 (UTC) Received: (qmail 89511 invoked by uid 60001); 5 Mar 2010 19:09:22 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1267816162; bh=/YwEfDmcM4hW1mMVZbiuhVO5m5BB2w2xzvIoBgvvAcs=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type; b=FVH5NLoFrsceBeO6ZKfo83tE3LPZXR8ILnGFi8c7JRpI6pRtlNV7K78PiPNVxaNoUsmWPgUC8qPAQq8ZzerYt2ZIbjvfUkQ52Y2x8qBZYoieriaS53noQmik2ZUR8+/TtktK+oe81KE/0nGxZumztc2Yh1TcqEuMGdWvZabrsQY= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type; b=zs83ELJl4fWtcCER4zYuAiGobezfs2Le/BgLCbHiGA+hsLGjZ+UWlEfnATIvOJAq730upYtza7t7sSnbAVzvHeQ53ALuSFWhQOAUpCwyZ6nwbNFMG389QXfPTdU4D3w4hpkMsNO2qFT+FZMU0SpEYzz9KBolY0VubxY1ts4OtEI=; Message-ID: <359839.89221.qm@web51101.mail.re2.yahoo.com> X-YMail-OSG: jtPm0NwVM1n9ifMeMpDO_uaFrrXTUoCbQIW7Kluii.qUK49 G_9JVWjiu25pCMtR2K1MFzv0DhJT68PeTK4r14tMBfCZeUhcytjylvyz9.9_ HTve9v_naXLS8sJAEHfxLHcgj72Gtq7r_ZaNHXruf6GiMVwUDb7VHHg7O_a5 iEz0tm5qDoAZxn_whyQKlsPga2WWyKwV8dcIVhtVxO3Ct8RuYxEcEuGITxqt zYyVHgDU8I7vtDxB1PJHL.q7iDzquiytsZQOJj6a2ktUzLEmoDrDgvQf1EiF 5zBS9i4VY7JBuUdNrl7vDryEWZb3TIPwO3LckVqUjS8GDt9.g0SkguQ-- Received: from [85.144.145.49] by web51101.mail.re2.yahoo.com via HTTP; Fri, 05 Mar 2010 11:09:22 PST X-Mailer: YahooMailClassic/9.2.12 YahooMailWebService/0.8.100.260964 Date: Fri, 5 Mar 2010 11:09:22 -0800 (PST) From: Dino Vliet To: john@starfire.mn.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Thousands of ssh probes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 19:09:25 -0000 Thousands of ssh probes Friday, March 5, 2010 1:54 PM From: "John" To: freebsd-questions@freebsd.org My nightly security logs have thousands upon thousands of ssh probes in them. One day, over 6500. This is enough that I can actually "feel" it in my network performance. Other than changing ssh to a non-standard port - is there a way to deal with these? Every day, they originate from several different IP addresses, so I can't just put in a static firewall rule. Is there a way to get ssh to quit responding to a port or a way to generate a dynamic pf rule in cases like this? -- John Lind john@starfire.MN.ORG ************************************************************************************************* Hi John, I'm using pf as a firewall on FreeBSD. I used this handy website: http://www.bgnett.no/~peter/pf/en/bruteforce.html and especially this part: max-src-conn is the number of simultaneous connections you allow from one host. In this example, I've set it at 100, in your setup you may want a slightly higher or lower value. max-src-conn-rate is the rate of new connections allowed from any single host, here 15 connections per 5 seconds. Again, you are the one to judge what suits your setup. I then looked at ssh itself. Key-based authentication only is what I'm allowing on my network now and I have put the AllowUsers directive in my sshd_config. At the moment I'm so paranoid that I'm reading into this Mandatory Access Control part of the handbook as well. Good luck,Dino