From owner-freebsd-questions@FreeBSD.ORG Sun Mar 7 20:58:36 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 806EF1065674 for ; Sun, 7 Mar 2010 20:58:36 +0000 (UTC) (envelope-from dc@dcoder.net) Received: from ns2.dcoder.net (207-126-122-62.ip.openhosting.com [207.126.122.62]) by mx1.freebsd.org (Postfix) with ESMTP id 5B9888FC24 for ; Sun, 7 Mar 2010 20:58:36 +0000 (UTC) Received: by ns2.dcoder.net (Postfix, from userid 500) id 6E7967D34DD; Sun, 7 Mar 2010 15:41:14 -0500 (EST) Date: Sun, 7 Mar 2010 15:41:14 -0500 From: dacoder To: freebsd-questions@freebsd.org Message-ID: <20100307204114.GK16274@mail2.dcoder.net> Mail-Followup-To: freebsd-questions@freebsd.org References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B91B36D.1020507@locolomo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4B91B36D.1020507@locolomo.org> User-Agent: Mutt/1.4.1i Subject: Re: Thousands of ssh probes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2010 20:58:36 -0000 +++ Erik Norgaard [06/03/10 02:44 +0100]: >On 05/03/10 13:54, John wrote: >>My nightly security logs have thousands upon thousands of ssh probes >>in them. One day, over 6500. This is enough that I can actually >>"feel" it in my network performance. Other than changing ssh to >>a non-standard port - is there a way to deal with these? Every >>day, they originate from several different IP addresses, so I can't >>just put in a static firewall rule. Is there a way to get ssh >>to quit responding to a port or a way to generate a dynamic pf >>rule in cases like this? > >This is a frequent question on the list, search the archives. Basically >there are few things that you can do: > >1. limit the access to a range of IPs, for example, even if you travel a >lot you go to al limited number of countries, why permit access from >other continents? > >2. limit access to certain users, there is no need to allow games or >root user to authenticate via ssh. Use AllowUsers or AllowGroups to >restrict access to real users. > >3. limit the amount of concurrent non-authenticated connections, number >of failed attempts and similar. > >4. prohibit password authentication. > >If the problem is that these attacks consume significant bandwidth then >moving your service to a different port may be a good solution, but if >your concern is security, then the above is more effective. > >BR, Erik > >-- >Erik Nørgaard >Ph: +34.666334818/+34.915211157 http://www.locolomo.org >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- has anybody suggested having sshd listen on a high port? regards, david coder network engineer emeritus, verio/ntt telluride, co & washington, dc