From owner-freebsd-security@FreeBSD.ORG Tue Oct 6 05:31:33 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B464E10656A5 for ; Tue, 6 Oct 2009 05:31:33 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213]) by mx1.freebsd.org (Postfix) with SMTP id 851888FC12 for ; Tue, 6 Oct 2009 05:31:31 +0000 (UTC) Received: (qmail 31562 invoked from network); 6 Oct 2009 05:04:48 -0000 Received: from poshta.pknet.net (HELO pop.pknet.net) (216.241.167.213) by poshta.pknet.net with SMTP; 6 Oct 2009 05:04:48 -0000 Received: from 216.241.167.212 (SquirrelMail authenticated user fbsdq@peterk.org) by webmail.pknet.net with HTTP; Mon, 5 Oct 2009 23:04:48 -0600 (MDT) Message-ID: In-Reply-To: <4AC9F9C1.9030702@kernel32.de> References: <20091003121830.GA15170@sorry.mine.nu> <4AC9F9C1.9030702@kernel32.de> Date: Mon, 5 Oct 2009 23:04:48 -0600 (MDT) From: "Peter" To: "Marian Hettwer" User-Agent: SquirrelMail/1.4.17 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: olli hauer , des@des.no, smithi@nimnet.asn.au, freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 05:31:33 -0000 > Hej All, > > olli hauer schrieb: >>>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers >>>> provides a >>>> reasonably useful list of ports NOT to choose for an obscure ssh >>>> port. >>>> >>> In practice, you have no choice but to use someting like 443 or 8080, >>> because corporate firewalls often block everything but a small number >>> of >>> ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and >>> 8080 >>> go through a transparent proxy) >>> >> >> This may work if the firewall does only port and no additional protocol >> filtering. For many products used in corporate envirion it is even >> possible to filter ssh v1, skype, stunnel, openvpn with a verry high >> success rate within the first packet's on the wire. >> >> In case for the ssh server take a look into this parameters >> - LoginGraceTime >> - MaxAuthTries >> - MaxSessions >> - MaxStartups >> >> > I think nobody mentioned the overload rules from pf(4). I keep away most > of the tried attempts by using it. > Setup is pretty easy: > table persist > pass quick log proto { tcp, udp } from any to any port ssh label > "ssh-brute" \ > flags S/SA keep state \ > (max-src-conn 15, max-src-conn-rate 10/30, \ > overload flush global) > > Obviously, read pf.conf(5) to check what you might want to configure WRT > max-src-conn and max-src-conn-rate. > > These rules in combination with enforced key authentication should keep > your logfiles clean and your host secured. > No need to go to another tcp port. > > Cheers, > Marian Or combine that with portknocking - Only open port 22 after X number of attempts to connect on port 1234: # Table for allowed IPs # [gets auto populated via portknocking] table persist . .. ... block #default block policy # Allow everyone to hit 'any' on port '1234' - pf proxies tcp connection # [if not using 'synproxy', the connection is never established to # 'overload' the rule] # 5 attempts in 15 seconds pass in log quick proto tcp from any to any port {1234} synproxy state \ (max-src-conn-rate 5/15, overload ) #Allow IPs that have been 'overload'ed into the portknock_ssh table pass in log quick proto tcp from {} to any port {ssh} . .. ... Then put a crontab on a per needed basis to expire all IPs in that table that have not been referenced in 60 seconds: * * * * * /sbin/pfctl -vt portknock_ssh -T expire 60 All established sessions will be kept alive, all new sessions will need to portknock after the IP is cleared from table ]Peter[