Date: Sun, 04 Oct 2009 01:35:07 -0700 From: Xin LI <delphij@delphij.net> To: Daniel O'Connor <doconnor@gsoft.com.au> Cc: jruohonen@iki.fi, freebsd-hackers@freebsd.org, krad <kraduk@googlemail.com> Subject: Re: Distributed SSH attack Message-ID: <4AC85E3B.4040906@delphij.net> In-Reply-To: <200910032357.02207.doconnor@gsoft.com.au> References: <20091002201039.GA53034@flint.openpave.org> <20091003081335.GA19914@marx.net.bit> <d36406630910030303j2e88046epa30f2a76b9ae1507@mail.gmail.com> <200910032357.02207.doconnor@gsoft.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel O'Connor wrote: > On Sat, 3 Oct 2009, krad wrote: >> simplest this to do is disable password auth, and use key based. > > Your logs are still full of crap though. > > I find sshguard works well, and I am fairly sure you couldn't spoof a > valid TCP connection through pf sanitising so it would be difficult > (nigh-impossible?) for someone to cause you to block a legit IP. > > If you can, changing the port sshd runs on is by far the simplest work > around. Galling as it is to have to change stuff to work around > malicious assholes.. Believe it or not, I find this pf.conf rule very effective to mitigate this type of distributed SSH botnet attack: block in quick proto tcp from any os "Linux" to any port ssh Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkrIXjsACgkQi+vbBBjt66DjhACeOJTIYbDuvAjIgYDrQ41aJcw8 +lsAoJhoUOoSL1k4Y/n/UDwqZNSUxId2 =wdkL -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AC85E3B.4040906>