From owner-freebsd-questions@FreeBSD.ORG  Sat Mar  6 01:44:17 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DC956106564A
	for <freebsd-questions@freebsd.org>;
	Sat,  6 Mar 2010 01:44:17 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es
	[85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 905FB8FC12
	for <freebsd-questions@freebsd.org>;
	Sat,  6 Mar 2010 01:44:17 +0000 (UTC)
Received: from beta.local (ppp-82-135-73-90.dynamic.mnet-online.de
	[82.135.73.90])
	by mail.locolomo.org (Postfix) with ESMTPSA id BD6AA1C0871
	for <freebsd-questions@freebsd.org>;
	Sat,  6 Mar 2010 02:44:15 +0100 (CET)
Message-ID: <4B91B36D.1020507@locolomo.org>
Date: Sat, 06 Mar 2010 02:44:13 +0100
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
	rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <20100305125446.GA14774@elwood.starfire.mn.org>
In-Reply-To: <20100305125446.GA14774@elwood.starfire.mn.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: Thousands of ssh probes
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Mar 2010 01:44:17 -0000

On 05/03/10 13:54, John wrote:
> My nightly security logs have thousands upon thousands of ssh probes
> in them.  One day, over 6500.  This is enough that I can actually
> "feel" it in my network performance.  Other than changing ssh to
> a non-standard port - is there a way to deal with these?  Every
> day, they originate from several different IP addresses, so I can't
> just put in a static firewall rule.  Is there a way to get ssh
> to quit responding to a port or a way to generate a dynamic pf
> rule in cases like this?

This is a frequent question on the list, search the archives. Basically 
there are few things that you can do:

1. limit the access to a range of IPs, for example, even if you travel a 
lot you go to al limited number of countries, why permit access from 
other continents?

2. limit access to certain users, there is no need to allow games or 
root user to authenticate via ssh. Use AllowUsers or AllowGroups to 
restrict access to real users.

3. limit the amount of concurrent non-authenticated connections, number 
of failed attempts and similar.

4. prohibit password authentication.

If the problem is that these attacks consume significant bandwidth then 
moving your service to a different port may be a good solution, but if 
your concern is security, then the above is more effective.

BR, Erik

-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org