From owner-freebsd-pf@FreeBSD.ORG Mon May 15 16:07:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0307A16AC53 for ; Mon, 15 May 2006 16:07:40 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71E1443D76 for ; Mon, 15 May 2006 16:07:37 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so5330nfc for ; Mon, 15 May 2006 09:07:36 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=r/UD34o8FGSvh4O/MBD8Wbg6Fq7bLXM1tS9de8YBZGbRC5LBR+lHQ/cQJYelR/d+e8lMf3IGTzUxvcWZndQAJc2J0/4Whr9sYhmo3avFo6BSCs19Yx2P2/aWnDvjT2oe672GDaAdk9lnTYLvsl/s6rTu8tLKJOvU+yk8bWRUxE0= Received: by 10.48.242.16 with SMTP id p16mr2475765nfh; Mon, 15 May 2006 09:07:36 -0700 (PDT) Received: by 10.48.254.10 with HTTP; Mon, 15 May 2006 09:07:36 -0700 (PDT) Message-ID: <55e8a96c0605150907k49af4454t5d0431ea036e11bc@mail.gmail.com> Date: Mon, 15 May 2006 11:07:36 -0500 From: "Bill Marquette" To: "GreenX FreeBSD" In-Reply-To: <446873D3.7090703@azimut-tour.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <44680266.2090007@azimut-tour.ru> <446873D3.7090703@azimut-tour.ru> Cc: freebsd-pf@freebsd.org Subject: Re: promt solution with max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 16:07:40 -0000 On 5/15/06, GreenX FreeBSD wrote: > > I'd advise against what you're trying to do. It won't make your box > > more secure. > Why? > Simply so, on ssh you will not come any more. > If I am not mistaken, probability of that the scanner will begin the > check with "key" port, > and further at once will check up sshd is equal - 1 / (0xFFFF*0xFFFE). > If he will not make itthis, he can be caught on max-src-conn-rate > concerning public services, > and to put for his forward from all ports on ssh localhost. And you always connect from a trusted network? Presumably the answer to this is no, else you'd just put rules in to allow the trusted network to connect. Port-knocking is security through obscurity at it's best and at a minimum is wide open to replay attacks. If the concern is simply that you don't want someone brute forcing an account, force the use of SSH authorized keys. Run a script watching the logs for anyone failing logins and add those addresses to a block list. --Bill