Date: Mon, 14 Mar 2005 23:17:59 -0800 From: John Pettitt <jpp@cloudview.com> To: Kyle Jensen <kljgroups@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Cutting down on ssh breakin attempts Message-ID: <42368C27.7060702@cloudview.com> In-Reply-To: <fa357bee0503140504104f3aa4@mail.gmail.com> References: <fa357bee0503140504104f3aa4@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Kyle Jensen wrote: >Hi, > >I run a webmail server for a small company, which >is (of course) running FreeBSD 5-stable. I get about >50-100 failed loging attempts via ssh on a daily basis. > >Occasionally, these show up in my daily security digest >with messages like: > >reverse mapping checking getaddrinfo for h169-210-68-8.a >dcast.com.tw failed - POSSIBLE BREAKIN ATTEMPT! > >But mostly it's stuff like > >Illegal user postgres from 210.68.8.169 > >What's the best way to cut down on these attempts? >I thought about adding a blacklist to my pf.conf rules >for the pf firewall. > >Any thoughts would be greatly appreciated! >Kyle > > > Four suggestions: 1) If you know where your valid ssh logins are going to come from filter out everything else. 2) If you haven't already done so switch to public key authentication on ssh and disable password logins (doesn't stop the attempts but gives peace of mind that they are not going to work) 3) Move your sshd to a non standard port (will stop the scripts and scanners but won't make any difference to a good blackhat) 4) Implement a port knocking strategy (to much hassle in my view but YMMV)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42368C27.7060702>