From owner-freebsd-questions@freebsd.org Thu Oct 1 08:32:54 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 66532A0B4AB for ; Thu, 1 Oct 2015 08:32:54 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C75B01C5F for ; Thu, 1 Oct 2015 08:32:53 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t918Wp1R026284; Thu, 1 Oct 2015 18:32:51 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 1 Oct 2015 18:32:50 +1000 (EST) From: Ian Smith To: Nino J cc: User Questions Subject: Re: SSHguard & IPFW In-Reply-To: Message-ID: <20151001173313.T67283@sola.nimnet.asn.au> References: <20151001033001.R67283@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2015 08:32:54 -0000 On Thu, 1 Oct 2015 08:52:47 +0200, Nino J wrote: > On Wed, Sep 30, 2015 at 7:58 PM, Ian Smith wrote: > > > > > I'm more paranoid and only allow addresses in a table to access sshd's > > port, with a couple of roaming users who need to check mail to update > > their IP before login .. but this is great news for sshguard users. > > > > > It's not necessarily paranoid. It depends on your risk assessment. I'm > primarily defending against bruteforce attacks and sshguard effectively > solves that. If I were concerned about possible vulnerability in sshd that > would allow an attacker to bypass the login process or crash sshd on a > machine where ssh access is critical, restricting access to known IPs only > would be a perfectly reasonable solution. Well I'm not as concerned about sshd vulnerabilities as I am about lots of superfluous logging from (usually) oft-repeated drive-by attempts on port 22, often across all 6 IPs of a /29. And yes, I prefer using port 22, despite the relief that using alternative ports does offer, mainly to keep things simple for users. This way, all other hosts attempting connections to port 22 simply vanish. > On a side note, if I understood correctly, you're modifying IPFW rules > based on a user successfully checking mail, basically a sort of > port-knocking? Or I totally misinterpreted? :) Yes, but not modifying the ruleset, just adding addresses to table(22). This is done from a 5-minutely cron running a script that parses pop.log for successful mailchecks by specified users from their nominated ISP/s, adding their IP address with current timestamp to the table. Users know the drill and it's worked without drama since 2007, although there's now only one such login user (apart from me :) remaining in our little club. Horses for courses; sshguard is surely a useful approach for hosts with more users, where maintaining my ad-hoc solution would be more arduous. cheers, Ian