From owner-freebsd-hackers@FreeBSD.ORG Sat Oct 3 14:27:09 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF40310656AD for ; Sat, 3 Oct 2009 14:27:09 +0000 (UTC) (envelope-from doconnor@gsoft.com.au) Received: from cain.gsoft.com.au (cain.gsoft.com.au [203.31.81.10]) by mx1.freebsd.org (Postfix) with ESMTP id 223D28FC16 for ; Sat, 3 Oct 2009 14:27:08 +0000 (UTC) Received: from inchoate.gsoft.com.au (ppp121-45-212-218.lns11.adl2.internode.on.net [121.45.212.218]) (authenticated bits=0) by cain.gsoft.com.au (8.13.8/8.13.8) with ESMTP id n93ER58I040589 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sat, 3 Oct 2009 23:57:06 +0930 (CST) (envelope-from doconnor@gsoft.com.au) From: "Daniel O'Connor" To: freebsd-hackers@freebsd.org Date: Sat, 3 Oct 2009 23:56:54 +0930 User-Agent: KMail/1.9.10 References: <20091002201039.GA53034@flint.openpave.org> <20091003081335.GA19914@marx.net.bit> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3670453.vm8lei8oIr"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200910032357.02207.doconnor@gsoft.com.au> X-Spam-Score: -2.212 () BAYES_00,RDNS_DYNAMIC X-Scanned-By: MIMEDefang 2.63 on 203.31.81.10 Cc: jruohonen@iki.fi, krad Subject: Re: Distributed SSH attack X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Oct 2009 14:27:09 -0000 --nextPart3670453.vm8lei8oIr Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sat, 3 Oct 2009, krad wrote: > simplest this to do is disable password auth, and use key based. Your logs are still full of crap though. I find sshguard works well, and I am fairly sure you couldn't spoof a=20 valid TCP connection through pf sanitising so it would be difficult=20 (nigh-impossible?) for someone to cause you to block a legit IP. If you can, changing the port sshd runs on is by far the simplest work=20 around. Galling as it is to have to change stuff to work around=20 malicious assholes.. =2D-=20 Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C --nextPart3670453.vm8lei8oIr Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iD8DBQBKx1825ZPcIHs/zowRAhrZAKCH5XISuIqQoL//bD0vow5OPTfQWQCcDDlr FQaFma9NtcLmp4JqiTVhtaw= =oUaU -----END PGP SIGNATURE----- --nextPart3670453.vm8lei8oIr--