From owner-freebsd-isp@FreeBSD.ORG  Thu Jun  9 13:56:29 2005
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
X-Original-To: freebsd-isp@freebsd.org
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DA2E516A41C
	for <freebsd-isp@freebsd.org>; Thu,  9 Jun 2005 13:56:29 +0000 (GMT)
	(envelope-from john@day-light.com)
Received: from joseph.day-light.net (209-145-160-141.accessus.net
	[209.145.160.141])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9010643D53
	for <freebsd-isp@freebsd.org>; Thu,  9 Jun 2005 13:56:29 +0000 (GMT)
	(envelope-from john@day-light.com)
Received: from w1 (unknown [10.1.5.36])
	by joseph.day-light.net (Postfix) with SMTP
	id 49C634F3E2; Thu,  9 Jun 2005 08:56:28 -0500 (CDT)
From: "John Brooks" <john@day-light.com>
To: "Marcin Jessa" <lists@yazzy.org>
Date: Thu, 9 Jun 2005 08:56:33 -0500
Message-ID: <NHBBKEEMKJDINKDJBJHGMEFFJCAD.john@day-light.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
In-Reply-To: <20050609153856.2e349f42.lists@yazzy.org>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Importance: Normal
Cc: freebsd-isp@freebsd.org
Subject: RE: inbound ssh ceased on 4 servers at same time
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: john@day-light.com
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jun 2005 13:56:30 -0000

All traffic must pass thru the firewall in order to reach the
inside network. There are no nat redirect rules for port 22, so
all port 22 traffic is intercepted by the firewall. The only
way to reach interior hosts is to specifically log onto the firewall
and from the firewall ssh into the interior hosts. 

On some of my networks the firewall will only accept traffic from 
specific hosts, dropping all others. (sshd is running on all hosts)
All of my firewalls are running hardened versions of OpenBSD. All
of the servers behind the firewalls are running FreeBSD.

--
John Brooks
john@day-light.com 

> -----Original Message-----
> From: Marcin Jessa [mailto:lists@yazzy.org]
> Sent: Thursday, June 09, 2005 8:39 AM
> To: john@day-light.com
> Cc: freebsd-isp@freebsd.org
> Subject: Re: inbound ssh ceased on 4 servers at same time
> 
> 
> Hi John, guys.
> 
> On Sat, 4 Jun 2005 13:14:28 -0500
> "John Brooks" <john@day-light.com> wrote:
> 
> > Thanks, sounds good to do on the outward facing firewall. These
> > four freebsd boxes are protected behind an openbsd firewall so
> > none of the brute-force sshd attacks have ever reached them.
> 
> How do you filter those brute-force attacks? 
> Do you check existence of users on the actual server running sshd ?
> I get hundreds of those attacks every day.
> 
> Cheers,
> Marcin Jessa.
>