From owner-freebsd-questions@FreeBSD.ORG Sat Mar 20 18:40:05 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC215106566C for ; Sat, 20 Mar 2010 18:40:05 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 5DD868FC0C for ; Sat, 20 Mar 2010 18:40:05 +0000 (UTC) Received: from beta.local (ppp-88-217-26-61.dynamic.mnet-online.de [88.217.26.61]) by mail.locolomo.org (Postfix) with ESMTPSA id C23791C0871 for ; Sat, 20 Mar 2010 19:40:03 +0100 (CET) Message-ID: <4BA51681.4020209@locolomo.org> Date: Sat, 20 Mar 2010 19:40:01 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100227 Lightning/1.0b1 Thunderbird/3.0.3 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <201003201723.o2KHNqBd001280@fix.fantomatic.co.uk> In-Reply-To: <201003201723.o2KHNqBd001280@fix.fantomatic.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: securing sshd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Mar 2010 18:40:05 -0000 On 20/03/10 18:23, Jamie Griffin wrote: > The reason I went with that decision is because I only expect to be > logging in to the server from two locations: at home or from a > computer at my university In that case, the best thing you can do is figure out the IP ranges of either location. Check your log for your own successful logins to find the source IP, then look up the range with whois. You can be pretty sure that wherever you are on campus, the assigned IP will be in that range. Then just allow access from those ranges and block everything else in your firewall. Whitelists are far easier to manage than black lists. Having some daemon running to monitor illicit attempts to login and block the source is futile. You can be almost certain that you won't see that IP in your logs again, partly because these attempts may come from botnets, partly because the source may be assigned IP dynamically. Btw. I found two articles on securityfocus.com, the first is analysis using a honeypot, as you see these attacks are pretty lame: http://www.symantec.com/connect/articles/analyzing-malicious-ssh-login-attempts Then somebody having to respond, because security was pretty lame: http://www.symantec.com/connect/articles/responding-brute-force-ssh-attack?ref=rss BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org