Date: Tue, 04 Nov 2014 13:23:31 -0700 From: jd1008 <jd1008@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: sshguard pf Message-ID: <545935C3.4080806@gmail.com> In-Reply-To: <20141104193652.GA3062@ymer.thorshammare.org> References: <20141102154444.GA42429@ymer.thorshammare.org> <54581F0E.4080404@a1poweruser.com> <20141104110202.GA37003@ymer.thorshammare.org> <44vbmv6kyp.fsf@lowell-desk.lan> <20141104193652.GA3062@ymer.thorshammare.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/04/2014 12:36 PM, Charlie Root wrote: > On Tue, Nov 04, 2014 at 10:31:42AM -0500, Lowell Gilbert wrote: >> Hasse Hansson <hasse@thorshammare.org> writes: >> >>> I'm aware of changing port for ssh, but I see it as a little bit of "givingup" >>> Gotta be some rather easy way of just blocking those attacks. Other than blocking >>> whole of CN and half of Asia. I've tried that too. It stopped the attacks and gave >>> me some room to think it over. >> Changing the port won't help you avoid attacks that might succeed, but >> it will substantially reduce the clutter that you need to look through. >> >> I don't do it because I've had problems with paranoid networks blocking >> everything but a few special ports, where ssh is one of the allowed >> ones, but I don't know if anybody's still doing anything that silly. >> >>> But I still wonder why sshguard or pf don't block those attacks. >>> shguard does it job on other probes, but not the root logins. PF doesn't seem >>> to do much at all. >> Firewalls won't help detect the attack. They can be used to keep someone >> out once the attack has been detected. I don't know sshguard, so I can't >> tell you why it isn't working for you, but there certainly are ports >> that can do so. I use bruteblock, for example, but I know there are >> several other options that do the same thing. > Thank you all for your answers and effort to help. > > I'm interested in trying out bruteblock, but a little bit confused. ( not unusual ) > > Do "bruteblock" require me to run ipfw2 as my firewall ? > <snip from pkg-descr> > Bruteblock is written in pure C, doesn't use any > external programs and work with ipfw2 tables via raw sockets API. > </snip> > > /hasse How about creating a firewall rule that allows ssh only from known IP addresses, in addition to changing the port number? Yes, I know, IP addresses can be spoofed, but as Charlie says, it will reduce the crap you have to deal with.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?545935C3.4080806>