From owner-freebsd-current@FreeBSD.ORG Sun Oct 5 18:49:00 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9BE821065688 for ; Sun, 5 Oct 2008 18:49:00 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from imlil.netoyen.net (imlil.netoyen.net [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id 57DDA8FC12 for ; Sun, 5 Oct 2008 18:49:00 +0000 (UTC) (envelope-from mouss@netoyen.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=netoyen.net; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received: x-virus-scanned; s=msa; t=1223231606; bh=ynsWnipuKfIUBeA3Ryx3QOp GI2OKAgRfwMYpAPCbmKY=; b=BLSosIPtWQFGihh8tqhOMNLBIu4W6hF3rLvTDfj WJcvCz/XZ4pYgQRrub/qhZA+myQWu7daduHe97BXrDIska9sXon8V237av202fUq zCP+W86/KbnwAKXdy6V5sv0mJVNmmrux1+aJYOQsXli7T6wyH0cVy0c4YXTSyJ7D ROgc= X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by smtp.netoyen.net (Postfix) with ESMTPSA id 5C369E5482C for ; Sun, 5 Oct 2008 20:33:26 +0200 (CEST) Message-ID: <48E9087B.4070903@netoyen.net> Date: Sun, 05 Oct 2008 20:33:31 +0200 From: mouss User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 CC: freebsd-current@freebsd.org References: <48E16E93.3090601@gmail.com> <48E4368E.4020404@gmail.com> <4046.82.41.242.250.1223173482.squirrel@mail.elegosoft.com> <20081005073409.62441itn43jvde80@econet.encontacto.net> In-Reply-To: <20081005073409.62441itn43jvde80@econet.encontacto.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: SSH Brute Force attempts X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2008 18:49:00 -0000 eculp wrote: > Quoting sk@elegosoft.com: > >> mornin' >> >> Rich Healey wrote: >>>> Recently I'm getting a lot of brute force attempts on my server, in the >>>> past I've used various tips and tricks with linux boxes but many of >>>> them >>>> were fairly linux specific. >> >> >> disable pasword authentication OR use very strong passwords (24 chars) >> OR use OTP >> >> if it is applicable you could limit access by hosts (from=) >> >> nothing of the above is linux or BSD specific >> >> btw. Software to delay Login Attempts could be tricked. >> >>> Personally I find that changing the port to anything other than 22 stops >>> a lot of the skiddie brute force attacks. Thats not to say you >>> shouldn't use something else as well - but it is something. >> >> it works for one of my servers too, but is security by obscurity > > It worked for me also but in addition I have started accepting ssh from > only known ip's but I always have a server with a known ip that uses an > alternative port for ssh that I can access from, lets say an internet > cafe or like, and then triangle to the server that I'm really interested > in. Hope that makes some sense. > you can configure ssh to listen on two ports Port 22 Port 23456 then use pf or other to allow 22 from trusted hosts and the other port from anywhere (except maybe networks you don't "like"). if OP was thinking about the "recent" module of iptables, then pf can do that: http://www.bgnett.no/~peter/pf/en/bruteforce.html If only few users can ssh, then it's worth creating a specific group and only allowing users in this group (AllowGroups). A google search will show enough stuff to get busy for few days ;-p