From owner-freebsd-questions@FreeBSD.ORG Sat Mar 6 03:59:07 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48C8B106564A for ; Sat, 6 Mar 2010 03:59:07 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from ozzie.tundraware.com (ozzie.tundraware.com [75.145.138.73]) by mx1.freebsd.org (Postfix) with ESMTP id E04308FC17 for ; Sat, 6 Mar 2010 03:59:06 +0000 (UTC) Received: from [192.168.0.2] (viper.tundraware.com [192.168.0.2]) (authenticated bits=0) by ozzie.tundraware.com (8.14.4/8.14.4) with ESMTP id o263wuaM098596 (version=TLSv1/SSLv3 cipher=DHE-DSS-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 5 Mar 2010 21:58:56 -0600 (CST) (envelope-from tundra@tundraware.com) Message-ID: <4B91D301.9060606@tundraware.com> Date: Fri, 05 Mar 2010 21:58:57 -0600 From: Tim Daneliuk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 MIME-Version: 1.0 To: FreeBSD Mailing List References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B91B36D.1020507@locolomo.org> In-Reply-To: <4B91B36D.1020507@locolomo.org> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (ozzie.tundraware.com [75.145.138.73]); Fri, 05 Mar 2010 21:58:56 -0600 (CST) X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner-ID: o263wuaM098596 X-TundraWare-MailScanner: Found to be clean X-TundraWare-MailScanner-From: tundra@tundraware.com X-Spam-Status: No Subject: Re: Thousands of ssh probes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Mar 2010 03:59:07 -0000 On 3/5/2010 7:44 PM, Erik Norgaard wrote: > On 05/03/10 13:54, John wrote: >> My nightly security logs have thousands upon thousands of ssh probes >> in them. One day, over 6500. This is enough that I can actually >> "feel" it in my network performance. Other than changing ssh to >> a non-standard port - is there a way to deal with these? Every >> day, they originate from several different IP addresses, so I can't >> just put in a static firewall rule. Is there a way to get ssh >> to quit responding to a port or a way to generate a dynamic pf >> rule in cases like this? > > This is a frequent question on the list, search the archives. Basically > there are few things that you can do: > > 1. limit the access to a range of IPs, for example, even if you travel a > lot you go to al limited number of countries, why permit access from > other continents? > > 2. limit access to certain users, there is no need to allow games or > root user to authenticate via ssh. Use AllowUsers or AllowGroups to > restrict access to real users. > > 3. limit the amount of concurrent non-authenticated connections, number > of failed attempts and similar. > > 4. prohibit password authentication. > > If the problem is that these attacks consume significant bandwidth then > moving your service to a different port may be a good solution, but if > your concern is security, then the above is more effective. > > BR, Erik > I solved this problem a slightly different way with dynamic TCP wrapper control: http://www.tundraware.com/Software/tperimeter/ -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/