From owner-freebsd-questions@FreeBSD.ORG Sat Jan 2 12:01:31 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 896AE1065694 for ; Sat, 2 Jan 2010 12:01:31 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.156]) by mx1.freebsd.org (Postfix) with ESMTP id 18A678FC22 for ; Sat, 2 Jan 2010 12:01:30 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id 16so1171067fgg.13 for ; Sat, 02 Jan 2010 04:01:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=RyWrGZUZ0XQwYqSoaBrDBuNaDbZw0iPQBEjVobNHhYI=; b=xPljd9wNo5sWwKuXEHRIKxx7XgXSSotbVvzQ3edGKDKXVYiLscy7AT8pHXpeU9n4p1 Rs0UnEpVJwZqnWL5Zwb9YGRMRuyMwZQa+ecW4xOmIXKUWKHHv1QSXsZBUnhH+yI+7JWZ /66Ejb6EgbRjh5Lz2peAkgfwWG2D0Lg2XVOr8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=lZsoxZ/Iq8U68TE5fFfTjDI7l2aWglru69MEiPzjCLCGppXLrJSbVaExA68r1XS6c6 Nlj/4Ou+wt0lsavb8aQ6K+p9oNUG3ixdn043oNodAt29yfMvOKkAziEPuOBZkIa/HhCS wJHpGI+iIl9CiaH7cENBMU94PJkb+QIeerXmU= MIME-Version: 1.0 Received: by 10.239.170.28 with SMTP id q28mr389482hbe.149.1262433681505; Sat, 02 Jan 2010 04:01:21 -0800 (PST) In-Reply-To: <19861fba1001011207v5528665ct7c58db87031de947@mail.gmail.com> References: <4B3E0D11.1080101@pdconsec.net> <4B3E0FBD.2010605@sbcglobal.net> <4B3E1295.9050902@pdconsec.net> <4B3E2C0F.4060408@unsane.co.uk> <19861fba1001011207v5528665ct7c58db87031de947@mail.gmail.com> Date: Sat, 2 Jan 2010 12:01:21 +0000 Message-ID: From: krad To: J65nko Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: David Rawling , "freebsd-questions@FreeBSD. ORG" Subject: Re: Blocking a slow-burning SSH bruteforce X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jan 2010 12:01:31 -0000 2010/1/1 J65nko > After some posts a discussion on the freebsd-table mailing list goes into > several approaches to deal with these SSH probes. > > See > http://lists.freebsd.org/pipermail/freebsd-stable/2009-December/053326.html > > You still could allow outgoing ssh traffic on port 22 and allow > incoming SSH on another port. > > Adriaan > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > one thing i have done in the past is severly lock down ssh to a small set of ips with pf. I then ran openvpn to allow me to access from random places, and left the acl on that fairly loose. Everything was also based on keys and certs. Another way to do it is purchase a cheap shell somewhere, and use it to bounce off to get to your box. Your machine can then be acl'ed up well. Make sure to use agent forwarding though just in case anyone is running key logging etc on the remote shell