Date: Fri, 01 Jan 2010 17:08:31 +0000 From: Vincent Hoffman <vince@unsane.co.uk> To: David Rawling <djr@pdconsec.net> Cc: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org> Subject: Re: Blocking a slow-burning SSH bruteforce Message-ID: <4B3E2C0F.4060408@unsane.co.uk> In-Reply-To: <4B3E1295.9050902@pdconsec.net> References: <4B3E0D11.1080101@pdconsec.net> <4B3E0FBD.2010605@sbcglobal.net> <4B3E1295.9050902@pdconsec.net>
next in thread | previous in thread | raw e-mail | index | archive | help
David Rawling wrote: > On 2/01/2010 2:07 AM, J.D. Bronson wrote: >> Few options I can think of in random order...I use #1: >> >> 1. Run SSH on an obscure port. Seriously, thats one of the easiest >> things to do. Since I have done that, I have had ZERO attempts and it >> works perfectly as long as users know the odd port. In fact, I dont >> know anyone in our IT circle of friends that runs SSH on port 22. >> >> 2. Consider controlling/limiting access via 'pf' if your running 'pf'. >> >> Of course with your examples coming from all different IPs, thats not >> likely gonna help much. >> >> 3. Just ignore it - they aren't getting in...similar to spammers >> being rejected by RBLs....its traffic, but cant be a whole lot. >> >> 4. Limit login time window too...I run a very narrow window of time >> to login and a LOW number of attempted logins per session. > > Darn. > > 1 is out because 22 is the one port that most organisations (including > mine) allow out of their networks for administering routers. > > 2 is unfortunately not an option (as a consultant I do work from many > networks) > > 4 - again I might have to log in any time ... > > 3 seems the best approach. > > Thanks for your thoughts, it's good to get second opinions. A final option is something like port knocking. (http://www.portknocking.org/) basicly a demon that checks if a specific packet/sequence has been blocked by the firewall and opens a port if the conditions are met. I havent actually tried it and it sounds a bit fiddely to be honest but it should work and theres security/knock in ports if you want to try it. Vince > > Dave. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B3E2C0F.4060408>