From owner-freebsd-questions@FreeBSD.ORG Mon Oct 25 20:32:59 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4612416A4CE for ; Mon, 25 Oct 2004 20:32:59 +0000 (GMT) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7181443D1F for ; Mon, 25 Oct 2004 20:32:57 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])i9PKWq5M002100 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 25 Oct 2004 21:32:52 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)i9PKWqHo002099 for freebsd-questions@FreeBSD.org; Mon, 25 Oct 2004 21:32:52 +0100 (BST) (envelope-from matthew) Date: Mon, 25 Oct 2004 21:32:52 +0100 From: Matthew Seaman To: FreeBSD Questions Message-ID: <20041025203252.GA1356@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , FreeBSD Questions References: <20041025161403.GB57087@keyslapper.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="BXVAT5kNtrzKuDFl" Content-Disposition: inline In-Reply-To: <20041025161403.GB57087@keyslapper.org> User-Agent: Mutt/1.4.2.1i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (smtp.infracaninophile.co.uk [IPv6:::1]); Mon, 25 Oct 2004 21:32:52 +0100 (BST) X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version 0.75l on smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.0.1 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on happy-idiot-talk.infracaninophile.co.uk Subject: Re: moving to 5.3 and need help understanding firewalls X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Oct 2004 20:32:59 -0000 --BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 25, 2004 at 12:14:03PM -0400, Louis LeBlanc wrote: =20 > I had thought about this one a bit though, and figured that it would be > a simple translation to the external network: > ${fwcmd} add pass log tcp from any to ${ip} 22 setup limit src-addr 4 > But I never put it in because I don't understand exactly what it will > do. What that does is limit you to having no more than 4 remote SSH sessions running concurrently from any particular source address. This can't stop probing of your port 22, but it might slow it down some. Hmmm... perhaps you might find something more like: ${fwcmd} add pass log tcp from any to ${ip} 22 setup limit dst-port 22 more effective. That limits you to no more than four incoming SSH sessions in total. However, the most effective defense is either to move the port sshd(8) listens on, or to prevent people logging in using passwords at all -- key based auth is a lot more secure all round, or use one-time passwords. See sshd_config(8) (particularly the description of the ChallengeResponseAuthentication and PasswordAuthentication commands), ssh-keygen(1), pam_unix(8) and opie(4). Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --BXVAT5kNtrzKuDFl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBfWL0iD657aJF7eIRAjFTAKCzbj3HqggqCoeazfv48iKPmrVWagCdHBm2 ONcJjeRUXbKpRW3NWYh/qBY= =2wtt -----END PGP SIGNATURE----- --BXVAT5kNtrzKuDFl--