From owner-freebsd-questions@FreeBSD.ORG Tue May 4 11:16:05 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E4BAA106566C for ; Tue, 4 May 2010 11:16:05 +0000 (UTC) (envelope-from dan@slightlystrange.org) Received: from catflap.slightlystrange.org (cpc2-cmbg1-0-0-cust385.cmbg.cable.ntl.com [82.21.105.130]) by mx1.freebsd.org (Postfix) with ESMTP id 99EDB8FC0A for ; Tue, 4 May 2010 11:16:05 +0000 (UTC) Received: from dan by catflap.slightlystrange.org with local (Exim 4.71 (FreeBSD)) (envelope-from ) id 1O9G6e-000Es1-Fl for freebsd-questions@freebsd.org; Tue, 04 May 2010 12:16:04 +0100 Date: Tue, 4 May 2010 12:16:04 +0100 From: Daniel Bye To: freebsd-questions@freebsd.org Message-ID: <20100504111604.GD33120@catflap.slightlystrange.org> Mail-Followup-To: freebsd-questions@freebsd.org References: <20100503144110.GA14402@elwood.starfire.mn.org> <4BDEF9E4.9020806@infracaninophile.co.uk> <20100503163933.GA15599@elwood.starfire.mn.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="JcvBIhDvR6w3jUPA" Content-Disposition: inline In-Reply-To: <20100503163933.GA15599@elwood.starfire.mn.org> User-Agent: Mutt/1.4.2.3i X-PGP-Fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A X-Operating-System: FreeBSD 8.0-STABLE amd64 Sender: Daniel Bye Subject: Re: pf suggestions for paced attack X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Bye List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 May 2010 11:16:06 -0000 --JcvBIhDvR6w3jUPA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 03, 2010 at 11:39:33AM -0500, John wrote: > Hi, Matthew. Indeed, yes, you may not recall, but my rules are > based on a set that I originally got from you, and I do, in fact, > have a white list, which I should have mentioned, but some of my > users are "road warriors" and could be coming from virtually anywhere. > You're right, though - it's time to look into alternatives to > password-based authenticaion. I think I've taken password-based > protection and rate adaptive rules to their logical limit. Depending on the platforms these people use, you might find OpenVPN useful. It has some excellent features for protecting against the sort of attack you are seeing, if you use the default UDP transport. The setup is really quite simple, and it runs on *BSD, Linux, Mac OS X and Windows (probably others, but I've never needed to use it anywhere but the 4 listed). You can then allow users on the VPN to access ssh, along with the whitelisted addresses already in your pf tables. I've been using this setup for a while, and am very happy with it. Dan --=20 Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ --JcvBIhDvR6w3jUPA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkvgAfQACgkQixf5fBYiFmoysQCeMdo0qM+ZFS8jfrNiBtrFEoX/ WIUAn3VqnUEDenl4r0F8RXxLA1P0yfip =7842 -----END PGP SIGNATURE----- --JcvBIhDvR6w3jUPA--