From owner-freebsd-questions@FreeBSD.ORG Tue Nov 4 20:23:35 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C2A4823A for ; Tue, 4 Nov 2014 20:23:35 +0000 (UTC) Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com [IPv6:2607:f8b0:4001:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 849779D5 for ; Tue, 4 Nov 2014 20:23:35 +0000 (UTC) Received: by mail-ie0-f174.google.com with SMTP id x19so8382584ier.19 for ; Tue, 04 Nov 2014 12:23:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=HWDiapsMf0I/dR7xKBkJmfIIPRpkfT8FvzJouX3zkes=; b=sSTne9Eqw5M0Wv+C6mZ2wbSKn63NQnFw88oh8fr8cBFtT62xgc5Mu0wubfFPrVei0X nwzY+Jd60FqbXTDqX+iyLFeGZo2qzTv5u01FReUjGnimWbFhbRcgvxeZjc8FpVlAJFJa GE2yojWwVmTaCNkFNH4XUAAG366oUVjWkbLmo6eTLW/6Ms1+4uE9zPQar8P9YAMzSkCQ 2wYyFPDFFK9bHHJ3nCK2hRvREd+Qd7LBOkdPM/Nv9SLbGIphqnBgOwpv1DfPTHLfE0Bm u/Aa+0RuOmK4/rsTESjA9GRfzg8MMdEcBQjVroJXf4ouwvm4/5iw4xipqO5q0LvBFK5E bLpA== X-Received: by 10.50.108.78 with SMTP id hi14mr341480igb.27.1415132614908; Tue, 04 Nov 2014 12:23:34 -0800 (PST) Received: from localhost.localdomain (63-225-227-131.slkc.qwest.net. [63.225.227.131]) by mx.google.com with ESMTPSA id h5sm5522743igo.5.2014.11.04.12.23.32 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 04 Nov 2014 12:23:34 -0800 (PST) Message-ID: <545935C3.4080806@gmail.com> Date: Tue, 04 Nov 2014 13:23:31 -0700 From: jd1008 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: sshguard pf References: <20141102154444.GA42429@ymer.thorshammare.org> <54581F0E.4080404@a1poweruser.com> <20141104110202.GA37003@ymer.thorshammare.org> <44vbmv6kyp.fsf@lowell-desk.lan> <20141104193652.GA3062@ymer.thorshammare.org> In-Reply-To: <20141104193652.GA3062@ymer.thorshammare.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2014 20:23:35 -0000 On 11/04/2014 12:36 PM, Charlie Root wrote: > On Tue, Nov 04, 2014 at 10:31:42AM -0500, Lowell Gilbert wrote: >> Hasse Hansson writes: >> >>> I'm aware of changing port for ssh, but I see it as a little bit of "givingup" >>> Gotta be some rather easy way of just blocking those attacks. Other than blocking >>> whole of CN and half of Asia. I've tried that too. It stopped the attacks and gave >>> me some room to think it over. >> Changing the port won't help you avoid attacks that might succeed, but >> it will substantially reduce the clutter that you need to look through. >> >> I don't do it because I've had problems with paranoid networks blocking >> everything but a few special ports, where ssh is one of the allowed >> ones, but I don't know if anybody's still doing anything that silly. >> >>> But I still wonder why sshguard or pf don't block those attacks. >>> shguard does it job on other probes, but not the root logins. PF doesn't seem >>> to do much at all. >> Firewalls won't help detect the attack. They can be used to keep someone >> out once the attack has been detected. I don't know sshguard, so I can't >> tell you why it isn't working for you, but there certainly are ports >> that can do so. I use bruteblock, for example, but I know there are >> several other options that do the same thing. > Thank you all for your answers and effort to help. > > I'm interested in trying out bruteblock, but a little bit confused. ( not unusual ) > > Do "bruteblock" require me to run ipfw2 as my firewall ? > > Bruteblock is written in pure C, doesn't use any > external programs and work with ipfw2 tables via raw sockets API. > > > /hasse How about creating a firewall rule that allows ssh only from known IP addresses, in addition to changing the port number? Yes, I know, IP addresses can be spoofed, but as Charlie says, it will reduce the crap you have to deal with.