From owner-freebsd-security@FreeBSD.ORG Mon Aug 21 13:11:43 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F10516A4DA for ; Mon, 21 Aug 2006 13:11:43 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01EE143D5F for ; Mon, 21 Aug 2006 13:11:32 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (twvaro@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k7LDBPmY032156 for ; Mon, 21 Aug 2006 15:11:31 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k7LDBPms032155; Mon, 21 Aug 2006 15:11:25 +0200 (CEST) (envelope-from olli) Date: Mon, 21 Aug 2006 15:11:25 +0200 (CEST) Message-Id: <200608211311.k7LDBPms032155@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG In-Reply-To: <44E76B21.8000409@thedarkside.nl> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Mon, 21 Aug 2006 15:11:31 +0200 (CEST) X-Mailman-Approved-At: Mon, 21 Aug 2006 14:40:23 +0000 Cc: Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 13:11:43 -0000 Personally I have solved the problem in a different way. I let sshd listen on port 22 as well as a different port (e.g. 322). In the packet filter configuration (IPFW in my case) the alternate port is open from anywhere, but port 22 is restricted to a few well-known IPs. Most of those automated SSH scans only scan networks on port 22 (for efficiency, I assume), so they never hit the alternate port. If they scan port 22, they're dropped silently. The result is that I get zero scans in my logs and the nightly reports. I can log into the machines normally from my usual workstations. And if I'm somewhere where port 22 isn't allowed, I can still log in using the alternate port number. In fact, I could get rid of port 22 altogether. You can set the default port number per host in ~/.ssh/config, so you don't have to type the port number every time. Note that this is _not_ a security measure (it would only be "security by obscurity" anyway). It's only to get rid of the annoying scans. You still have to use good pass- words (or use other authentication, such as ssh keys), and make sure that you do not allow root (or other pseudo users) login via ssh passwords. Best regards Oliver PS: I try to avoid things like automatic blocking of IP addresses. They can be dangerous, because such automatisms can be used to run DoS attacks against you, by spoofing source IPs. Whitelists can help a bit, but you still have to be extremely careful. I know one case where someone had a similar setup, blocking IPs completely (not just port 22) if there have been too many connection attempts. He whitelisted the IP addresses of the workstations from which he was usually connecting with ssh, and so he assumed he was save. Well, until a "friend" of him ran an SSH scan against the machine, spoofing the IP addresses of his DNS servers, in effect putting the machine offline. :-) -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. I suggested holding a "Python Object Oriented Programming Seminar", but the acronym was unpopular. -- Joseph Strout