From owner-freebsd-questions@FreeBSD.ORG Fri Mar 5 13:04:25 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 393B4106566C for ; Fri, 5 Mar 2010 13:04:25 +0000 (UTC) (envelope-from pit@joseph-a-nagy-jr.us) Received: from outbound-mail-158.bluehost.com (outbound-mail-158.bluehost.com [67.222.39.38]) by mx1.freebsd.org (Postfix) with SMTP id 01BD98FC21 for ; Fri, 5 Mar 2010 13:04:24 +0000 (UTC) Received: (qmail 9097 invoked by uid 0); 5 Mar 2010 13:04:24 -0000 Received: from unknown (HELO box264.bluehost.com) (69.89.31.64) by cpoproxy2.bluehost.com with SMTP; 5 Mar 2010 13:04:24 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=joseph-a-nagy-jr.us; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:X-Identified-User; b=ewlVgq8DIHMlgCFo0TCb8U+zf9F0NlS9TwFZoX5CVFJMgzsESowum3BJMQwFfsdwGVCzUI8zcMyGsKye2k7xVHifb3lcxur4KcjD60dBoy2TFXZnV39Qk5KkxYkut5JM; Received: from [206.74.86.236] (helo=[192.168.1.102]) by box264.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1NnXCa-0007I5-5X for freebsd-questions@freebsd.org; Fri, 05 Mar 2010 06:04:24 -0700 Message-ID: <4B910139.1080908@joseph-a-nagy-jr.us> Date: Fri, 05 Mar 2010 07:03:53 -0600 From: Programmer In Training User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.7) Gecko/20100203 Thunderbird/3.0.1 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20100305125446.GA14774@elwood.starfire.mn.org> In-Reply-To: <20100305125446.GA14774@elwood.starfire.mn.org> X-Enigmail-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigDE492454978279EA24394AB7" X-Identified-User: {2250:box264.bluehost.com:ameliora:joseph-a-nagy-jr.us} {sentby:smtp auth 206.74.86.236 authed with pit@joseph-a-nagy-jr.us} Subject: Re: Thousands of ssh probes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 13:04:25 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigDE492454978279EA24394AB7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 03/05/10 06:54, John wrote: > My nightly security logs have thousands upon thousands of ssh probes > in them. One day, over 6500. This is enough that I can actually > "feel" it in my network performance. Other than changing ssh to > a non-standard port - is there a way to deal with these? Every > day, they originate from several different IP addresses, so I can't > just put in a static firewall rule. Is there a way to get ssh > to quit responding to a port or a way to generate a dynamic pf > rule in cases like this? Can you not deny all ssh attempts and then allow only from certain, trusted IPs? --=20 Yours In Christ, PIT Emails are not formal business letters, whatever businesses may want. Original content copyright under the OWL http://owl.apotheon.org Please do not CC me. If I'm posting to a list it is because I am subscrib= ed. --------------enigDE492454978279EA24394AB7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJLkQFRAAoJEENZQ8DH7rW0XlAH/1ZXuk4JJgxOvuMpojeV13Vh M4uI288DCbk4+5UjSEu0klnvA/hreg7x40EkqCdkj+FDePjXRTZxDp4W+tf5e0Nd 7LZxrzjVNNmDrBCbXjwYchT0p+GQzM41nZudF0zx7OSQXOO1xGxaKZu7GmmuFEHa Fuo+Qnmzbx4HI3dd+IWJ4QweLeh2FEJJxP0agjlLPnZPs1CaPdfN0xjLTByqUbij BRC6jK0gyJP1KxGOww3PFe5XRf0GccxuetqFSEn5RFshDdW1OcThEioH8JDDEQpN D9lqaWQPI4y6jK9NPEwhlDBCMMzZdg3r0vguDjeVYP4Baoe37r/xjvRa0LI7q3o= =BudN -----END PGP SIGNATURE----- --------------enigDE492454978279EA24394AB7--