From owner-freebsd-questions@FreeBSD.ORG Fri Mar 5 20:43:14 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1F6A106566B for ; Fri, 5 Mar 2010 20:43:14 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: from mail-pz0-f199.google.com (mail-pz0-f199.google.com [209.85.222.199]) by mx1.freebsd.org (Postfix) with ESMTP id 814AA8FC28 for ; Fri, 5 Mar 2010 20:43:14 +0000 (UTC) Received: by pzk37 with SMTP id 37so2741205pzk.7 for ; Fri, 05 Mar 2010 12:43:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=hQjgJcX4CkBqfQemwTZGZixLeHuuYBu3Ha9YcnKCqb8=; b=Tq2SWZEcPeqPiOq5VsxPByD0WhKIJvSLtkQ4S09AQrunZubXfskH7UOFzSPv5I7bcz sFnATklcmnwBHoDAvSs8yKak5XoUUvKpyxGS5t6e4SteNw/3q8mPZXJs9zF137gHY2DT /G+D/38i9URLxFaBWmBmdVRKejHwCPs7LL3/I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=nHiJIhM1yewXQEKC4N+3llyuHmJoe1WiV6kqOEQl3g5y6MI0JMyJPdu2NeKwVY1q6f qO7sZ99VSk6Nu5OwZWjLsZQSVDtaPbzAppa0ZwJ2cdhv8YTLxSzwe5GMYChun6LmS+eX HRlN93O0m8DmxPMfWaFaXfw6TovPwQcqDHYdg= MIME-Version: 1.0 Received: by 10.114.189.9 with SMTP id m9mr1029046waf.155.1267821784024; Fri, 05 Mar 2010 12:43:04 -0800 (PST) In-Reply-To: <20100305132604.GC14774@elwood.starfire.mn.org> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> Date: Fri, 5 Mar 2010 13:43:03 -0700 Message-ID: From: Tim Judd To: John Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@freebsd.org, Programmer In Training Subject: Re: Thousands of ssh probes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 20:43:14 -0000 Replies interspersed On 3/5/10, John wrote: > On Fri, Mar 05, 2010 at 07:03:53AM -0600, Programmer In Training wrote: >> On 03/05/10 06:54, John wrote: >> > My nightly security logs have thousands upon thousands of ssh probes >> > in them. One day, over 6500. This is enough that I can actually >> > "feel" it in my network performance. Other than changing ssh to >> > a non-standard port - is there a way to deal with these? Every >> > day, they originate from several different IP addresses, so I can't >> > just put in a static firewall rule. Is there a way to get ssh >> > to quit responding to a port or a way to generate a dynamic pf >> > rule in cases like this? >> >> Can you not deny all ssh attempts and then allow only from certain, >> trusted IPs? > > Ah, I should have added that I travel a fair amount, and often > have to get to my systems via hotel WiFi or Aircard, so it's > impossible to predict my originating IP address in advance. If > that were not the case, this would be an excellent suggestion. I've been in that same boat. I eventually came to the decision to: Install PPTP server software, accepting connections from any IP. Once connected with PPTP, edit the sshd rule in pf to allow sshd connections. Optionally reconnect for sshd only. It's worked well. > >> -- >> Yours In Christ, >> >> PIT >> Emails are not formal business letters, whatever businesses may want. >> Original content copyright under the OWL http://owl.apotheon.org >> Please do not CC me. If I'm posting to a list it is because I am >> subscribed. > -- > > John Lind > john@starfire.MN.ORG > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >