From owner-freebsd-questions@FreeBSD.ORG Fri Mar 5 13:06:40 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 782AA1065677 for ; Fri, 5 Mar 2010 13:06:40 +0000 (UTC) (envelope-from eitanadlerlist@gmail.com) Received: from mail-fx0-f223.google.com (mail-fx0-f223.google.com [209.85.220.223]) by mx1.freebsd.org (Postfix) with ESMTP id 102AB8FC1C for ; Fri, 5 Mar 2010 13:06:39 +0000 (UTC) Received: by fxm23 with SMTP id 23so2575295fxm.3 for ; Fri, 05 Mar 2010 05:06:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=HimUtKdUw6Et9ZDD54SXJTfTmxBV3MVCORh5kr3U05s=; b=HDxovUNBdwizk/C2Z8iUhYL5uhCIT1Ew48Z6ZzYKeoyIk5Olyl8yMhCqxnQqmWJfX8 skqpwbrM0CjNCG4iy70AIo56BtmpzyIO+3qmueHAdhe9WZGYUr8RttxnhPRrPF5fdtt0 7qDCPbqkyxYaZT+MJstIdBBnBWiD8bne+AmG8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=VfibB9HoxEbriDY1jaL+if4A0NhZGugLi2bCujG3jjocS4KqHtMPlKUCFuzuGOBx0+ SADPmDdJG/R/pl4YH6UYxtr2RCfgDbfKAu4eL3Xy7G53cIyT6Zf34L/4IaFAli7xjRrK Vn+iwi6FxrGR66qdUrTznK5Vat9+TtEjokZco= MIME-Version: 1.0 Received: by 10.239.137.211 with SMTP id m19mr18457hbm.34.1267794394000; Fri, 05 Mar 2010 05:06:34 -0800 (PST) In-Reply-To: <20100305125446.GA14774@elwood.starfire.mn.org> References: <20100305125446.GA14774@elwood.starfire.mn.org> From: Eitan Adler Date: Fri, 5 Mar 2010 15:06:12 +0200 Message-ID: To: John Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: Thousands of ssh probes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 13:06:40 -0000 On Fri, Mar 5, 2010 at 2:54 PM, John wrote: > My nightly security logs have thousands upon thousands of ssh probes > in them. =A0One day, over 6500. =A0This is enough that I can actually > "feel" it in my network performance. =A0Other than changing ssh to > a non-standard port - is there a way to deal with these? =A0Every > day, they originate from several different IP addresses, so I can't > just put in a static firewall rule. =A0Is there a way to get ssh > to quit responding to a port or a way to generate a dynamic pf > rule in cases like this? > -- > > John Lind > john@starfire.MN.ORG > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" > Look at security/blocksshd and security/denyhosts Also changing SSH to a non-standard port helps - a lot.