From owner-freebsd-questions@FreeBSD.ORG Fri Mar 5 15:44:41 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DDF9F1065674 for ; Fri, 5 Mar 2010 15:44:41 +0000 (UTC) (envelope-from john@starfire.mn.org) Received: from elwood.starfire.mn.org (starfire.skypoint.net [173.8.102.29]) by mx1.freebsd.org (Postfix) with ESMTP id 890FC8FC3C for ; Fri, 5 Mar 2010 15:44:41 +0000 (UTC) Received: from elwood.starfire.mn.org (john@localhost [127.0.0.1]) by elwood.starfire.mn.org (8.14.3/8.14.3) with ESMTP id o25Fid8t017556; Fri, 5 Mar 2010 09:44:39 -0600 (CST) (envelope-from john@elwood.starfire.mn.org) Received: (from john@localhost) by elwood.starfire.mn.org (8.14.3/8.14.3/Submit) id o25FideE017555; Fri, 5 Mar 2010 09:44:39 -0600 (CST) (envelope-from john) Date: Fri, 5 Mar 2010 09:44:39 -0600 From: John To: mikel king Message-ID: <20100305154439.GA17456@elwood.starfire.mn.org> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: John , freebsd-questions@freebsd.org, Programmer In Training Subject: Re: Thousands of ssh probes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 15:44:42 -0000 On Fri, Mar 05, 2010 at 10:19:09AM -0500, mikel king wrote: > > On Mar 5, 2010, at 8:26 AM, John wrote: > > >On Fri, Mar 05, 2010 at 07:03:53AM -0600, Programmer In Training > >wrote: > >>On 03/05/10 06:54, John wrote: > >>>My nightly security logs have thousands upon thousands of ssh probes > >>>in them. One day, over 6500. This is enough that I can actually > >>>"feel" it in my network performance. Other than changing ssh to > >>>a non-standard port - is there a way to deal with these? Every > >>>day, they originate from several different IP addresses, so I can't > >>>just put in a static firewall rule. Is there a way to get ssh > >>>to quit responding to a port or a way to generate a dynamic pf > >>>rule in cases like this? > >> > >>Can you not deny all ssh attempts and then allow only from certain, > >>trusted IPs? > > > >Ah, I should have added that I travel a fair amount, and often > >have to get to my systems via hotel WiFi or Aircard, so it's > >impossible to predict my originating IP address in advance. If > >that were not the case, this would be an excellent suggestion. > > Way back about 10 years ago, I was playing around with IPFW a lot. I > wrote a script to update IPFW from changes made to a MySql db. It was > a just for fun project, that turned out to be rather useful I have > some developers that I managed who like you were road warriors. They > logged in to the https web page w/ their username and password which > grabbed their IP address and stored it in a table on with their login > id. > > The script called fud (for firewall update daemon) connected to the db > and ran a query to check for any rule changes. If there were it would > apply them to the rule set and clear the change flag. Using this > combination I was able to allow ssh access only to the necessary ip > addresses. > > I kind of scrapped it when VPNs became easier to deploy and I have no > idea where this set of scripts are now, but it would be rather trivial > to build a new version. > > If anyone thinks it's worth revisiting hit me off list. Maybe I'll have to learn how to do a VPN from FreeBSD.... One thought that occurs to me is that pf tables would provide a direct API without having to hit a database. I think I really like this. I may have to implement it for pf. It should be really easy with CGI and calls to pfctl. -- John Lind john@starfire.MN.ORG