From owner-freebsd-questions@FreeBSD.ORG Tue Nov 4 15:31:56 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EDE96566 for ; Tue, 4 Nov 2014 15:31:56 +0000 (UTC) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id C5A9B287 for ; Tue, 4 Nov 2014 15:31:56 +0000 (UTC) Received: from lowell-desk.lan (lowell-desk.lan [172.30.250.41]) by be-well.ilk.org (Postfix) with ESMTP id 3B11633C48; Tue, 4 Nov 2014 10:31:44 -0500 (EST) Received: by lowell-desk.lan (Postfix, from userid 1147) id 218083980E; Tue, 4 Nov 2014 10:31:42 -0500 (EST) From: Lowell Gilbert To: Hasse Hansson Subject: Re: sshguard pf References: <20141102154444.GA42429@ymer.thorshammare.org> <54581F0E.4080404@a1poweruser.com> <20141104110202.GA37003@ymer.thorshammare.org> Date: Tue, 04 Nov 2014 10:31:42 -0500 In-Reply-To: <20141104110202.GA37003@ymer.thorshammare.org> (Hasse Hansson's message of "Tue, 4 Nov 2014 12:02:02 +0100") Message-ID: <44vbmv6kyp.fsf@lowell-desk.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2014 15:31:57 -0000 Hasse Hansson writes: > I'm aware of changing port for ssh, but I see it as a little bit of "givingup" > Gotta be some rather easy way of just blocking those attacks. Other than blocking > whole of CN and half of Asia. I've tried that too. It stopped the attacks and gave > me some room to think it over. Changing the port won't help you avoid attacks that might succeed, but it will substantially reduce the clutter that you need to look through. I don't do it because I've had problems with paranoid networks blocking everything but a few special ports, where ssh is one of the allowed ones, but I don't know if anybody's still doing anything that silly. > But I still wonder why sshguard or pf don't block those attacks. > shguard does it job on other probes, but not the root logins. PF doesn't seem > to do much at all. Firewalls won't help detect the attack. They can be used to keep someone out once the attack has been detected. I don't know sshguard, so I can't tell you why it isn't working for you, but there certainly are ports that can do so. I use bruteblock, for example, but I know there are several other options that do the same thing.