Date: Fri, 5 Mar 2010 15:41:52 +0200 From: Anton <anton@sng.by> To: John <john@starfire.mn.org> Cc: freebsd-questions@freebsd.org, Programmer In Training <pit@joseph-a-nagy-jr.us> Subject: Re[2]: Thousands of ssh probes Message-ID: <1108389354.20100305154152@sng.by> In-Reply-To: <20100305132604.GC14774@elwood.starfire.mn.org> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello John, I would suggest you just block ssh acces for everyone. But, to allow acces for yourself - you could install wonderfull utility = 'knock-knock'. It listen on specified ports (they could be closed), and, on receiving p= redefined knock-knock (for example - 2 knocks in 9000 tcp port, one knock t= o 8000 port, one at 27145 tcp port and final at 29000 udp port) it dynamica= lly inserts rule in =E7=E0 (=F8=F2 my case, ipfw) ruleset, which allows acc= ess for host which knocks http://www.marksanborn.net/linux/add-port-knocking-= to-ssh-for-extra-security/ Friday, March 5, 2010, 3:26:04 PM, you wrote: > On Fri, Mar 05, 2010 at 07:03:53AM -0600, Progr= ammer In Training wrote: >> On 03/05/10 06:54, John wrote: >> > My nightly security logs have thousand= s upon thousands of ssh probes >> > in them. One day, over 6500. &nb= sp;This is enough that I can actually >> > "feel" it in my network performance. &= nbsp;Other than changing ssh to >> > a non-standard port - is there a way t= o deal with these? Every >> > day, they originate from several diffe= rent IP addresses, so I can't >> > just put in a static firewall rule. &n= bsp;Is there a way to get ssh >> > to quit responding to a port or a way = to generate a dynamic pf >> > rule in cases like this? >> Can you not deny all ssh attempts and then = allow only from certain, >> trusted IPs? > Ah, I should have added that I travel a fair am= ount, and often > have to get to my systems via hotel WiFi or Air= card, so it's > impossible to predict my originating IP address= in advance. If > that were not the case, this would be an excell= ent suggestion. >> -- >> Yours In Christ, >> PIT >> Emails are not formal business letters, wha= tever businesses may want. >> Original content copyright under the OWL&nb= sp;[1]http://owl.apot= heon.org >> Please do not CC me. If I'm posting to a li= st it is because I am subscribed. -- Best regards, Anton = ; [2]mailto:anton@sng.by Administrator Feel free to contact me via ICQ 363780596 via Skype dobryak47 via phone +375 29 3320987 References 1. 3D"http://owl.apotheon.org"/ 2. 3D"mailto:anton@sng.by"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1108389354.20100305154152>