Date: Mon, 05 Oct 2009 15:50:57 +0200 From: Marian Hettwer <MH@kernel32.de> To: olli hauer <ohauer@gmx.de> Cc: des@des.no, smithi@nimnet.asn.au, freebsd-security@freebsd.org Subject: Re: openssh concerns Message-ID: <4AC9F9C1.9030702@kernel32.de> In-Reply-To: <20091003121830.GA15170@sorry.mine.nu>
index | next in thread | previous in thread | raw e-mail
Hej All, olli hauer schrieb: >>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers >>> provides a >>> reasonably useful list of ports NOT to choose for an obscure ssh >>> port. >>> >> In practice, you have no choice but to use someting like 443 or 8080, >> because corporate firewalls often block everything but a small number >> of >> ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and >> 8080 >> go through a transparent proxy) >> > > This may work if the firewall does only port and no additional protocol > filtering. For many products used in corporate envirion it is even > possible to filter ssh v1, skype, stunnel, openvpn with a verry high > success rate within the first packet's on the wire. > > In case for the ssh server take a look into this parameters > - LoginGraceTime > - MaxAuthTries > - MaxSessions > - MaxStartups > > I think nobody mentioned the overload rules from pf(4). I keep away most of the tried attempts by using it. Setup is pretty easy: table <ssh-spammer> persist pass quick log proto { tcp, udp } from any to any port ssh label "ssh-brute" \ flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 10/30, \ overload <ssh-spammer> flush global) Obviously, read pf.conf(5) to check what you might want to configure WRT max-src-conn and max-src-conn-rate. These rules in combination with enforced key authentication should keep your logfiles clean and your host secured. No need to go to another tcp port. Cheers, Marianhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AC9F9C1.9030702>