From owner-freebsd-questions@FreeBSD.ORG Fri Jan 1 17:08:35 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4BBD31065670 for ; Fri, 1 Jan 2010 17:08:35 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id 813078FC18 for ; Fri, 1 Jan 2010 17:08:34 +0000 (UTC) Received: from vhoffman-macbook.local ([10.0.0.173]) (authenticated bits=0) by unsane.co.uk (8.14.3/8.14.3) with ESMTP id o01H9qn1037652 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 1 Jan 2010 17:09:52 GMT (envelope-from vince@unsane.co.uk) Message-ID: <4B3E2C0F.4060408@unsane.co.uk> Date: Fri, 01 Jan 2010 17:08:31 +0000 From: Vincent Hoffman User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: David Rawling References: <4B3E0D11.1080101@pdconsec.net> <4B3E0FBD.2010605@sbcglobal.net> <4B3E1295.9050902@pdconsec.net> In-Reply-To: <4B3E1295.9050902@pdconsec.net> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: Blocking a slow-burning SSH bruteforce X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jan 2010 17:08:35 -0000 David Rawling wrote: > On 2/01/2010 2:07 AM, J.D. Bronson wrote: >> Few options I can think of in random order...I use #1: >> >> 1. Run SSH on an obscure port. Seriously, thats one of the easiest >> things to do. Since I have done that, I have had ZERO attempts and it >> works perfectly as long as users know the odd port. In fact, I dont >> know anyone in our IT circle of friends that runs SSH on port 22. >> >> 2. Consider controlling/limiting access via 'pf' if your running 'pf'. >> >> Of course with your examples coming from all different IPs, thats not >> likely gonna help much. >> >> 3. Just ignore it - they aren't getting in...similar to spammers >> being rejected by RBLs....its traffic, but cant be a whole lot. >> >> 4. Limit login time window too...I run a very narrow window of time >> to login and a LOW number of attempted logins per session. > > Darn. > > 1 is out because 22 is the one port that most organisations (including > mine) allow out of their networks for administering routers. > > 2 is unfortunately not an option (as a consultant I do work from many > networks) > > 4 - again I might have to log in any time ... > > 3 seems the best approach. > > Thanks for your thoughts, it's good to get second opinions. A final option is something like port knocking. (http://www.portknocking.org/) basicly a demon that checks if a specific packet/sequence has been blocked by the firewall and opens a port if the conditions are met. I havent actually tried it and it sounds a bit fiddely to be honest but it should work and theres security/knock in ports if you want to try it. Vince > > Dave. >