From owner-freebsd-questions@FreeBSD.ORG Tue Mar 15 07:18:01 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0318616A4CE for ; Tue, 15 Mar 2005 07:18:01 +0000 (GMT) Received: from skipjack.no-such-agency.net (skipjack.no-such-agency.net [64.142.114.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id B92A043D55 for ; Tue, 15 Mar 2005 07:18:00 +0000 (GMT) (envelope-from jpp@cloudview.com) Received: from skipjack.no-such-agency.net (localhost [127.0.0.1]) by skipjack.no-such-agency.net (Postfix) with ESMTP id 616D434F61B; Mon, 14 Mar 2005 23:18:00 -0800 (PST) Received: from [192.168.2.120] (blackhole.no-such-agency.net [64.142.103.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by skipjack.no-such-agency.net (Postfix) with ESMTP id C7C6C34F61A; Mon, 14 Mar 2005 23:17:59 -0800 (PST) Message-ID: <42368C27.7060702@cloudview.com> Date: Mon, 14 Mar 2005 23:17:59 -0800 From: John Pettitt Organization: CloudView Photographic User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Kyle Jensen References: In-Reply-To: X-Enigmail-Version: 0.90.1.1 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-AV-Checked: by skipjack cc: freebsd-questions@freebsd.org Subject: Re: Cutting down on ssh breakin attempts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Mar 2005 07:18:01 -0000 Kyle Jensen wrote: >Hi, > >I run a webmail server for a small company, which >is (of course) running FreeBSD 5-stable. I get about >50-100 failed loging attempts via ssh on a daily basis. > >Occasionally, these show up in my daily security digest >with messages like: > >reverse mapping checking getaddrinfo for h169-210-68-8.a >dcast.com.tw failed - POSSIBLE BREAKIN ATTEMPT! > >But mostly it's stuff like > >Illegal user postgres from 210.68.8.169 > >What's the best way to cut down on these attempts? >I thought about adding a blacklist to my pf.conf rules >for the pf firewall. > >Any thoughts would be greatly appreciated! >Kyle > > > Four suggestions: 1) If you know where your valid ssh logins are going to come from filter out everything else. 2) If you haven't already done so switch to public key authentication on ssh and disable password logins (doesn't stop the attempts but gives peace of mind that they are not going to work) 3) Move your sshd to a non standard port (will stop the scripts and scanners but won't make any difference to a good blackhat) 4) Implement a port knocking strategy (to much hassle in my view but YMMV)