From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 14:08:06 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A2451065694 for ; Mon, 5 Oct 2009 14:08:06 +0000 (UTC) (envelope-from MH@kernel32.de) Received: from crivens.kernel32.de (crivens.asm68k.org [81.169.171.191]) by mx1.freebsd.org (Postfix) with ESMTP id 0BC018FC17 for ; Mon, 5 Oct 2009 14:08:05 +0000 (UTC) Received: from [192.168.100.142] (91-64-131-224-dynip.superkabel.de [91.64.131.224]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by crivens.kernel32.de (Postfix) with ESMTPSA id 29033B0348; Mon, 5 Oct 2009 15:50:37 +0200 (CEST) Message-ID: <4AC9F9C1.9030702@kernel32.de> Date: Mon, 05 Oct 2009 15:50:57 +0200 From: Marian Hettwer User-Agent: Thunderbird 1.5.0.12 (Macintosh/20070509) MIME-Version: 1.0 To: olli hauer References: <20091003121830.GA15170@sorry.mine.nu> In-Reply-To: <20091003121830.GA15170@sorry.mine.nu> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: des@des.no, smithi@nimnet.asn.au, freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 14:08:06 -0000 Hej All, olli hauer schrieb: >>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers >>> provides a >>> reasonably useful list of ports NOT to choose for an obscure ssh >>> port. >>> >> In practice, you have no choice but to use someting like 443 or 8080, >> because corporate firewalls often block everything but a small number >> of >> ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and >> 8080 >> go through a transparent proxy) >> > > This may work if the firewall does only port and no additional protocol > filtering. For many products used in corporate envirion it is even > possible to filter ssh v1, skype, stunnel, openvpn with a verry high > success rate within the first packet's on the wire. > > In case for the ssh server take a look into this parameters > - LoginGraceTime > - MaxAuthTries > - MaxSessions > - MaxStartups > > I think nobody mentioned the overload rules from pf(4). I keep away most of the tried attempts by using it. Setup is pretty easy: table persist pass quick log proto { tcp, udp } from any to any port ssh label "ssh-brute" \ flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 10/30, \ overload flush global) Obviously, read pf.conf(5) to check what you might want to configure WRT max-src-conn and max-src-conn-rate. These rules in combination with enforced key authentication should keep your logfiles clean and your host secured. No need to go to another tcp port. Cheers, Marian