From owner-freebsd-questions@FreeBSD.ORG Fri Mar 5 13:41:53 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F01DD1065673 for ; Fri, 5 Mar 2010 13:41:53 +0000 (UTC) (envelope-from anton@sng.by) Received: from mail-fx0-f223.google.com (mail-fx0-f223.google.com [209.85.220.223]) by mx1.freebsd.org (Postfix) with ESMTP id 8B67B8FC16 for ; Fri, 5 Mar 2010 13:41:53 +0000 (UTC) Received: by fxm23 with SMTP id 23so2612240fxm.3 for ; Fri, 05 Mar 2010 05:41:45 -0800 (PST) Received: by 10.223.94.200 with SMTP id a8mr948766fan.86.1267796504786; Fri, 05 Mar 2010 05:41:44 -0800 (PST) Received: from ROOT ([91.187.14.140]) by mx.google.com with ESMTPS id 26sm2694382fks.22.2010.03.05.05.41.42 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 05 Mar 2010 05:41:44 -0800 (PST) Date: Fri, 5 Mar 2010 15:41:52 +0200 From: Anton X-Mailer: The Bat! (v3.71.01) Professional X-Priority: 3 (Normal) Message-ID: <1108389354.20100305154152@sng.by> To: John In-Reply-To: <20100305132604.GC14774@elwood.starfire.mn.org> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org, Programmer In Training Subject: Re[2]: Thousands of ssh probes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Anton List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 13:41:54 -0000 Hello John, I would suggest you just block ssh acces for everyone. But, to allow acces for yourself - you could install wonderfull utility = 'knock-knock'. It listen on specified ports (they could be closed), and, on receiving p= redefined knock-knock (for example - 2 knocks in 9000 tcp port, one knock t= o 8000 port, one at 27145 tcp port and final at 29000 udp port) it dynamica= lly inserts rule in =E7=E0 (=F8=F2 my case, ipfw) ruleset, which allows acc= ess for host which knocks http://www.marksanborn.net/linux/add-port-knocking-= to-ssh-for-extra-security/ Friday, March 5, 2010, 3:26:04 PM, you wrote: > On Fri, Mar 05, 2010 at 07:03:53AM -0600, Progr= ammer In Training wrote: >> On 03/05/10 06:54, John wrote: >> > My nightly security logs have thousand= s upon thousands of ssh probes >> > in them. One day, over 6500. &nb= sp;This is enough that I can actually >> > "feel" it in my network performance. &= nbsp;Other than changing ssh to >> > a non-standard port - is there a way t= o deal with these? Every >> > day, they originate from several diffe= rent IP addresses, so I can't >> > just put in a static firewall rule. &n= bsp;Is there a way to get ssh >> > to quit responding to a port or a way = to generate a dynamic pf >> > rule in cases like this? >> Can you not deny all ssh attempts and then = allow only from certain, >> trusted IPs? > Ah, I should have added that I travel a fair am= ount, and often > have to get to my systems via hotel WiFi or Air= card, so it's > impossible to predict my originating IP address= in advance. If > that were not the case, this would be an excell= ent suggestion. >> -- >> Yours In Christ, >> PIT >> Emails are not formal business letters, wha= tever businesses may want. >> Original content copyright under the OWL&nb= sp;[1]http://owl.apot= heon.org >> Please do not CC me. If I'm posting to a li= st it is because I am subscribed. -- Best regards, Anton = ; [2]mailto:anton@sng.by Administrator Feel free to contact me via ICQ 363780596 via Skype dobryak47 via phone +375 29 3320987 References 1. 3D"http://owl.apotheon.org"/ 2. 3D"mailto:anton@sng.by"