From owner-freebsd-hackers@FreeBSD.ORG Tue Sep 30 05:44:52 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2E761106568C; Tue, 30 Sep 2008 05:44:52 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id A5A0B8FC1F; Tue, 30 Sep 2008 05:44:51 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id m8U5ii7D069917; Tue, 30 Sep 2008 06:44:45 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.7.2 smtp.infracaninophile.co.uk m8U5ii7D069917 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1222753485; bh=u9/CoU7CLF+RzK ZBnQXWXHbJ9uvSEXXYwJPibDzyFzU=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<48E1BCC4.60207@infracaninophile.co.uk>|Date:=20Tue,=203 0=20Sep=202008=2006:44:36=20+0100|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User-A gent:=20Thunderbird=202.0.0.17=20(X11/20080929)|MIME-Version:=201.0 |To:=20Jeremy=20Chadwick=20|CC:=20Rich=20Healey =20,=20freebsd-hackers@freebsd.org|Subject:= 20Re:=20SSH=20Brute=20Force=20attempts|References:=20<48E16E93.3090 601@gmail.com>=20<20080930033033.GA35849@icarus.home.lan>|In-Reply- To:=20<20080930033033.GA35849@icarus.home.lan>|X-Enigmail-Version:= 200.95.6|Content-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha256= 3B=0D=0A=20protocol=3D"application/pgp-signature"=3B=0D=0A=20bounda ry=3D"------------enigEEEA3B455F6A6CC0E3E3EBE6"; b=wZ6RHEQG4xz18n59 71d/xajR5L7dsdsWf7gpB9PhAkPfs/DXZnZYT41E33nEOHowuz7/ypdwkhqK6RuQWEF rxAUdNGYDyKr65o3ilkexjfCgT5pVlXFnA5yeO246nWOcWtCHTq5FGoQtDzjnuig+fC iT0VQc3zNu4Pl6uJfXcfQ= Message-ID: <48E1BCC4.60207@infracaninophile.co.uk> Date: Tue, 30 Sep 2008 06:44:36 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.17 (X11/20080929) MIME-Version: 1.0 To: Jeremy Chadwick References: <48E16E93.3090601@gmail.com> <20080930033033.GA35849@icarus.home.lan> In-Reply-To: <20080930033033.GA35849@icarus.home.lan> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigEEEA3B455F6A6CC0E3E3EBE6" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Tue, 30 Sep 2008 06:44:45 +0100 (BST) X-Virus-Scanned: ClamAV 0.94/8356/Tue Sep 30 02:21:10 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-hackers@freebsd.org, Rich Healey Subject: Re: SSH Brute Force attempts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 05:44:52 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigEEEA3B455F6A6CC0E3E3EBE6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Jeremy Chadwick wrote: > You naturally have to keep pf.conf.ssh-* in sync if you have multiple > machines. You can use pfsync(4) to accomplish this task (I think), or > you can do it the obvious way (make a central distribution box that > scp/rsync's the files out and runs "/etc/rc.d/pf reload"). pfsync sychronises the dynamic state sessions between machines -- ie. basically what you see by doing 'pfctl -ss' It doesn't as far as I know synchronise table contents even if the table changes are themselves dynamically generated in response to traffic. rsync is your friend here. As for blocking based on geographical source of IPs -- I see where you're coming from, but you've missed out one of the largest territories that is the source of this sort of thing, namely the USA. The best strategy IMHO is to foil the automated password guessers but not using passwords. SSH key based auth works nicely, is easy to setup and use and is unfeasible to break by trial and error across a remote network connection. Using firewall blocking on top of this is still useful (to reduce the noise in the log files and stop system resources being sucked up by SSH's crypto requirements) but it shouldn't be a necessity. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigEEEA3B455F6A6CC0E3E3EBE6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkjhvMwACgkQ8Mjk52CukIxwxACeOoNj9nricxxjmuQ/xKGYNg5l Il4An3TycEGLYvhpdl5O/lBZNtfV8HhB =C98i -----END PGP SIGNATURE----- --------------enigEEEA3B455F6A6CC0E3E3EBE6--