From owner-freebsd-questions@FreeBSD.ORG Mon Mar 8 17:56:09 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E9A01065676 for ; Mon, 8 Mar 2010 17:56:09 +0000 (UTC) (envelope-from kingedgar@gmail.com) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 57AC68FC21 for ; Mon, 8 Mar 2010 17:56:08 +0000 (UTC) Received: by gwaa20 with SMTP id a20so3416273gwa.13 for ; Mon, 08 Mar 2010 09:56:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=J0bobfR1H7Rw6fdXXnD8ZvnBRibkLEZHaHtwf8bZtAM=; b=EkL5JwT+wWLrfjKO2mv9kxmVW5CC83Muzhtu5OKTO8zPsA7cny1OV1o9u0qvepCoiN ituX8MXBidf6SNW+DmZiwLMWKE+wVZ/tfAVXvBOE3O/eLkf+rob6YhVSakAENdGe+KrS e3N+BKvCYHSjOD0PcAZK6grr1YUYkt6P+k+C4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=hiWkRRPmKDtEaqs6faS/6874EmpI63bgU75nremMQdMnftA5JQU+i7xVSxiMTvIIH1 A+IvZOP+/TKtL/gDKQ/RVTjyW9UjBrIuOyxF5u7MXEOYUyOn3TNFRuYmWCV8PV9XIJ2D EMmJLsYHzUpm/346eBqym9UIEch+DUZJZgnuk= MIME-Version: 1.0 Received: by 10.150.55.31 with SMTP id d31mr4408826yba.327.1268070968492; Mon, 08 Mar 2010 09:56:08 -0800 (PST) In-Reply-To: <4B942D4B.6070407@locolomo.org> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B91B36D.1020507@locolomo.org> <20100307204114.GK16274@mail2.dcoder.net> <4B942D4B.6070407@locolomo.org> Date: Mon, 8 Mar 2010 11:56:08 -0600 Message-ID: <970380131003080956u375be282wd5e5e4445841146f@mail.gmail.com> From: Jason Garrett To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Thousands of ssh probes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2010 17:56:09 -0000 On Sun, Mar 7, 2010 at 16:48, Erik Norgaard wrote: > On 07/03/10 21:41, dacoder wrote: > > has anybody suggested having sshd listen on a high port? >> > > Any number will do, think about it: > > a. The attacker doesn't really care which host is compromised any will do= , > and better yet someones home box as it is more difficult to trace him. In > that case he will scan large ip-ranges for hosts listening on port 22. > > b. The attacker wants to gain control of a particular server. In that cas= e > he will scan all ports to see what services are running and determine whi= ch > services are running on each port. In that case running ssh on a > non-standard port is futile. > > However, I'm not really a fan of using non-standard ports for ssh, I don'= t > believe it's the right solution to the problem: You have ssh access to th= e > outside because people travel and need remote access. In that case they > might find themselves under other security policies which block access to > services deemed unnecessary. Running ssh on a non-standard port is likely= to > be blocked on the client network - unless you run on, say, port 80. > > The more uses you have, the more problems you will have running ssh on a > non-standard port, the time you save checking your logs may easily be spe= nt > on end user support. > > OP referred to significant impact on bandwidth which I find difficult to > believe. In case connections come from a single ip at a time then you sho= uld > tweak LoginGraceTime, MaxAuthTries, MaxSessions to reduce the number of > concurrent un-authenticate connections and slow down brute force attacks. > > Much better, restrict the client access to certain ranges of IPs. The > different registries publish ip ranges assigned per country and you can > create a list blocking countries you are certain not to visit, you can us= e > my script: > > http://www.locolomo.org/pub/src/toolbox/inet.pl > > Great script! Just one question. Where do you put the list of denied ip ranges? > > BR, Erik > > -- > Erik N=F8rgaard > Ph: +34.666334818/+34.915211157 http://www.locolomo.org > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >