Date: Tue, 4 May 2010 12:16:04 +0100 From: Daniel Bye <freebsd-questions@slightlystrange.org> To: freebsd-questions@freebsd.org Subject: Re: pf suggestions for paced attack Message-ID: <20100504111604.GD33120@catflap.slightlystrange.org> In-Reply-To: <20100503163933.GA15599@elwood.starfire.mn.org> References: <20100503144110.GA14402@elwood.starfire.mn.org> <4BDEF9E4.9020806@infracaninophile.co.uk> <20100503163933.GA15599@elwood.starfire.mn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--JcvBIhDvR6w3jUPA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 03, 2010 at 11:39:33AM -0500, John wrote: > Hi, Matthew. Indeed, yes, you may not recall, but my rules are > based on a set that I originally got from you, and I do, in fact, > have a white list, which I should have mentioned, but some of my > users are "road warriors" and could be coming from virtually anywhere. > You're right, though - it's time to look into alternatives to > password-based authenticaion. I think I've taken password-based > protection and rate adaptive rules to their logical limit. Depending on the platforms these people use, you might find OpenVPN useful. It has some excellent features for protecting against the sort of attack you are seeing, if you use the default UDP transport. The setup is really quite simple, and it runs on *BSD, Linux, Mac OS X and Windows (probably others, but I've never needed to use it anywhere but the 4 listed). You can then allow users on the VPN to access ssh, along with the whitelisted addresses already in your pf tables. I've been using this setup for a while, and am very happy with it. Dan --=20 Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ --JcvBIhDvR6w3jUPA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkvgAfQACgkQixf5fBYiFmoysQCeMdo0qM+ZFS8jfrNiBtrFEoX/ WIUAn3VqnUEDenl4r0F8RXxLA1P0yfip =7842 -----END PGP SIGNATURE----- --JcvBIhDvR6w3jUPA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100504111604.GD33120>