From owner-freebsd-questions@FreeBSD.ORG Fri Mar 5 15:19:21 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 56C30106567C for ; Fri, 5 Mar 2010 15:19:21 +0000 (UTC) (envelope-from mikel.king@olivent.com) Received: from mail.olivent.com (mail.olivent.com [75.99.82.91]) by mx1.freebsd.org (Postfix) with ESMTP id B21FB8FC1D for ; Fri, 5 Mar 2010 15:19:20 +0000 (UTC) Received: from localhost ([127.0.0.1]) by mail.olivent.com (Kerio Connect 7.0.0 patch 1) (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits)); Fri, 5 Mar 2010 10:19:09 -0500 References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> Message-Id: From: mikel king To: John In-Reply-To: <20100305132604.GC14774@elwood.starfire.mn.org> Mime-Version: 1.0 (Apple Message framework v936) Date: Fri, 5 Mar 2010 10:19:09 -0500 X-Mailer: Apple Mail (2.936) Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org, Programmer In Training Subject: Re: Thousands of ssh probes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 15:19:21 -0000 On Mar 5, 2010, at 8:26 AM, John wrote: > On Fri, Mar 05, 2010 at 07:03:53AM -0600, Programmer In Training > wrote: >> On 03/05/10 06:54, John wrote: >>> My nightly security logs have thousands upon thousands of ssh probes >>> in them. One day, over 6500. This is enough that I can actually >>> "feel" it in my network performance. Other than changing ssh to >>> a non-standard port - is there a way to deal with these? Every >>> day, they originate from several different IP addresses, so I can't >>> just put in a static firewall rule. Is there a way to get ssh >>> to quit responding to a port or a way to generate a dynamic pf >>> rule in cases like this? >> >> Can you not deny all ssh attempts and then allow only from certain, >> trusted IPs? > > Ah, I should have added that I travel a fair amount, and often > have to get to my systems via hotel WiFi or Aircard, so it's > impossible to predict my originating IP address in advance. If > that were not the case, this would be an excellent suggestion. Way back about 10 years ago, I was playing around with IPFW a lot. I wrote a script to update IPFW from changes made to a MySql db. It was a just for fun project, that turned out to be rather useful I have some developers that I managed who like you were road warriors. They logged in to the https web page w/ their username and password which grabbed their IP address and stored it in a table on with their login id. The script called fud (for firewall update daemon) connected to the db and ran a query to check for any rule changes. If there were it would apply them to the rule set and clear the change flag. Using this combination I was able to allow ssh access only to the necessary ip addresses. I kind of scrapped it when VPNs became easier to deploy and I have no idea where this set of scripts are now, but it would be rather trivial to build a new version. If anyone thinks it's worth revisiting hit me off list. Cheers, Mikel King CEO, Olivent Technologies Senior Editor, BSD News Network Columnist, BSD Magazine 6 Alpine Court, Medford, NY 11763 o: 631.627.3055 c: 631.796.1499 skype:mikel.king http://olivent.com http://www.linkedin.com/in/mikelking http://twitter.com/mikelking