Date: Mon, 15 May 2006 11:07:36 -0500 From: "Bill Marquette" <bill.marquette@gmail.com> To: "GreenX FreeBSD" <freebsd@azimut-tour.ru> Cc: freebsd-pf@freebsd.org Subject: Re: promt solution with max-src-conn-rate Message-ID: <55e8a96c0605150907k49af4454t5d0431ea036e11bc@mail.gmail.com> In-Reply-To: <446873D3.7090703@azimut-tour.ru> References: <44680266.2090007@azimut-tour.ru> <fee88ee40605142226i6b1e07c4h9625117e5d5e3bbe@mail.gmail.com> <446873D3.7090703@azimut-tour.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/15/06, GreenX FreeBSD <freebsd@azimut-tour.ru> wrote: > > I'd advise against what you're trying to do. It won't make your box > > more secure. > Why? > Simply so, on ssh you will not come any more. > If I am not mistaken, probability of that the scanner will begin the > check with "key" port, > and further at once will check up sshd is equal - 1 / (0xFFFF*0xFFFE). > If he will not make itthis, he can be caught on max-src-conn-rate > concerning public services, > and to put for his forward from all ports on ssh localhost. And you always connect from a trusted network? Presumably the answer to this is no, else you'd just put rules in to allow the trusted network to connect. Port-knocking is security through obscurity at it's best and at a minimum is wide open to replay attacks. If the concern is simply that you don't want someone brute forcing an account, force the use of SSH authorized keys. Run a script watching the logs for anyone failing logins and add those addresses to a block list. --Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55e8a96c0605150907k49af4454t5d0431ea036e11bc>