Date: Thu, 1 Oct 2015 18:32:50 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Nino J <nino80@gmail.com> Cc: User Questions <freebsd-questions@freebsd.org> Subject: Re: SSHguard & IPFW Message-ID: <20151001173313.T67283@sola.nimnet.asn.au> In-Reply-To: <CALf6cgY0TYxugyMWd7ugpL5YgjKYiX%2Bk35%2BP1%2BzwbDMJw9T2Jw@mail.gmail.com> References: <mailman.98.1443614402.37653.freebsd-questions@freebsd.org> <20151001033001.R67283@sola.nimnet.asn.au> <CALf6cgY0TYxugyMWd7ugpL5YgjKYiX%2Bk35%2BP1%2BzwbDMJw9T2Jw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 1 Oct 2015 08:52:47 +0200, Nino J wrote: > On Wed, Sep 30, 2015 at 7:58 PM, Ian Smith <smithi@nimnet.asn.au> wrote: > > > > > I'm more paranoid and only allow addresses in a table to access sshd's > > port, with a couple of roaming users who need to check mail to update > > their IP before login .. but this is great news for sshguard users. > > > > > It's not necessarily paranoid. It depends on your risk assessment. I'm > primarily defending against bruteforce attacks and sshguard effectively > solves that. If I were concerned about possible vulnerability in sshd that > would allow an attacker to bypass the login process or crash sshd on a > machine where ssh access is critical, restricting access to known IPs only > would be a perfectly reasonable solution. Well I'm not as concerned about sshd vulnerabilities as I am about lots of superfluous logging from (usually) oft-repeated drive-by attempts on port 22, often across all 6 IPs of a /29. And yes, I prefer using port 22, despite the relief that using alternative ports does offer, mainly to keep things simple for users. This way, all other hosts attempting connections to port 22 simply vanish. > On a side note, if I understood correctly, you're modifying IPFW rules > based on a user successfully checking mail, basically a sort of > port-knocking? Or I totally misinterpreted? :) Yes, but not modifying the ruleset, just adding addresses to table(22). This is done from a 5-minutely cron running a script that parses pop.log for successful mailchecks by specified users from their nominated ISP/s, adding their IP address with current timestamp to the table. Users know the drill and it's worked without drama since 2007, although there's now only one such login user (apart from me :) remaining in our little club. Horses for courses; sshguard is surely a useful approach for hosts with more users, where maintaining my ad-hoc solution would be more arduous. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151001173313.T67283>