Date: Mon, 21 Aug 2006 15:11:25 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-security@FreeBSD.ORG Subject: Re: SSH scans vs connection ratelimiting Message-ID: <200608211311.k7LDBPms032155@lurza.secnetix.de> In-Reply-To: <44E76B21.8000409@thedarkside.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Personally I have solved the problem in a different way. I let sshd listen on port 22 as well as a different port (e.g. 322). In the packet filter configuration (IPFW in my case) the alternate port is open from anywhere, but port 22 is restricted to a few well-known IPs. Most of those automated SSH scans only scan networks on port 22 (for efficiency, I assume), so they never hit the alternate port. If they scan port 22, they're dropped silently. The result is that I get zero scans in my logs and the nightly reports. I can log into the machines normally from my usual workstations. And if I'm somewhere where port 22 isn't allowed, I can still log in using the alternate port number. In fact, I could get rid of port 22 altogether. You can set the default port number per host in ~/.ssh/config, so you don't have to type the port number every time. Note that this is _not_ a security measure (it would only be "security by obscurity" anyway). It's only to get rid of the annoying scans. You still have to use good pass- words (or use other authentication, such as ssh keys), and make sure that you do not allow root (or other pseudo users) login via ssh passwords. Best regards Oliver PS: I try to avoid things like automatic blocking of IP addresses. They can be dangerous, because such automatisms can be used to run DoS attacks against you, by spoofing source IPs. Whitelists can help a bit, but you still have to be extremely careful. I know one case where someone had a similar setup, blocking IPs completely (not just port 22) if there have been too many connection attempts. He whitelisted the IP addresses of the workstations from which he was usually connecting with ssh, and so he assumed he was save. Well, until a "friend" of him ran an SSH scan against the machine, spoofing the IP addresses of his DNS servers, in effect putting the machine offline. :-) -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. I suggested holding a "Python Object Oriented Programming Seminar", but the acronym was unpopular. -- Joseph Strout
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608211311.k7LDBPms032155>