Date: Mon, 5 Oct 2009 23:04:48 -0600 (MDT) From: "Peter" <fbsdq@peterk.org> To: "Marian Hettwer" <MH@kernel32.de> Cc: olli hauer <ohauer@gmx.de>, des@des.no, smithi@nimnet.asn.au, freebsd-security@freebsd.org Subject: Re: openssh concerns Message-ID: <bd3cc292fc07e3e63181ab4fb59fa8e7.squirrel@webmail.pknet.net> In-Reply-To: <4AC9F9C1.9030702@kernel32.de> References: <20091003121830.GA15170@sorry.mine.nu> <4AC9F9C1.9030702@kernel32.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hej All, > > olli hauer schrieb: >>>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers >>>> provides a >>>> reasonably useful list of ports NOT to choose for an obscure ssh >>>> port. >>>> >>> In practice, you have no choice but to use someting like 443 or 8080, >>> because corporate firewalls often block everything but a small number >>> of >>> ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and >>> 8080 >>> go through a transparent proxy) >>> >> >> This may work if the firewall does only port and no additional protocol >> filtering. For many products used in corporate envirion it is even >> possible to filter ssh v1, skype, stunnel, openvpn with a verry high >> success rate within the first packet's on the wire. >> >> In case for the ssh server take a look into this parameters >> - LoginGraceTime >> - MaxAuthTries >> - MaxSessions >> - MaxStartups >> >> > I think nobody mentioned the overload rules from pf(4). I keep away most > of the tried attempts by using it. > Setup is pretty easy: > table <ssh-spammer> persist > pass quick log proto { tcp, udp } from any to any port ssh label > "ssh-brute" \ > flags S/SA keep state \ > (max-src-conn 15, max-src-conn-rate 10/30, \ > overload <ssh-spammer> flush global) > > Obviously, read pf.conf(5) to check what you might want to configure WRT > max-src-conn and max-src-conn-rate. > > These rules in combination with enforced key authentication should keep > your logfiles clean and your host secured. > No need to go to another tcp port. > > Cheers, > Marian Or combine that with portknocking - Only open port 22 after X number of attempts to connect on port 1234: # Table for allowed IPs # [gets auto populated via portknocking] table <portknock_ssh> persist . .. ... block #default block policy # Allow everyone to hit 'any' on port '1234' - pf proxies tcp connection # [if not using 'synproxy', the connection is never established to # 'overload' the rule] # 5 attempts in 15 seconds pass in log quick proto tcp from any to any port {1234} synproxy state \ (max-src-conn-rate 5/15, overload <portknock_ssh>) #Allow IPs that have been 'overload'ed into the portknock_ssh table pass in log quick proto tcp from {<portknock_ssh>} to any port {ssh} . .. ... Then put a crontab on a per needed basis to expire all IPs in that table that have not been referenced in 60 seconds: * * * * * /sbin/pfctl -vt portknock_ssh -T expire 60 All established sessions will be kept alive, all new sessions will need to portknock after the IP is cleared from table ]Peter[
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bd3cc292fc07e3e63181ab4fb59fa8e7.squirrel>