From owner-freebsd-security@FreeBSD.ORG  Wed Mar 21 14:13:00 2007
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2F3A316A46C
	for <freebsd-security@freebsd.org>;
	Wed, 21 Mar 2007 14:13:00 +0000 (UTC)
	(envelope-from freebsd-security@jonze.com)
Received: from dogstar.jonze.com (87-194-33-21.bethere.co.uk [87.194.33.21])
	by mx1.freebsd.org (Postfix) with ESMTP id B946413C4B8
	for <freebsd-security@freebsd.org>;
	Wed, 21 Mar 2007 14:12:59 +0000 (UTC)
	(envelope-from freebsd-security@jonze.com)
Received: from dogstar.jonze.com (localhost [127.0.0.1])
	by dogstar.jonze.com (8.13.6/8.13.6) with ESMTP id l2LDn6aO027263
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Wed, 21 Mar 2007 13:49:06 GMT
	(envelope-from freebsd-security@jonze.com)
Received: (from richard@localhost)
	by dogstar.jonze.com (8.13.6/8.13.6/Submit) id l2LDn5vP027262;
	Wed, 21 Mar 2007 13:49:05 GMT
	(envelope-from freebsd-security@jonze.com)
Date: Wed, 21 Mar 2007 13:49:05 +0000
From: Richard Jones <freebsd-security@jonze.com>
To: Bill Moran <wmoran@collaborativefusion.com>
Message-ID: <20070321134905.GA27188@dogstar.jonze.com>
References: <20070321123033.GD31533@bunrab.catwhisker.org>
	<20070321092724.fd6f1541.wmoran@collaborativefusion.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20070321092724.fd6f1541.wmoran@collaborativefusion.com>
User-Agent: Mutt/1.5.11
X-Virus-Scanned: ClamAV version 0.90.1,
	clamav-milter version 0.90.1 on dogstar.jonze.com
X-Virus-Status: Clean
Cc: freebsd-security@freebsd.org
Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2007 14:13:00 -0000

On Wed, Mar 21, 2007 at 09:27:24AM -0400, Bill Moran wrote:
> Not in my opinion.  I run a little script I wrote that automatically adds
> failed SSH attempts to a table that blocks them from _everything_ in my
> pf rules.  I figure if they're fishing for weak ssh passwords, their next
> likely attack route might be HTTP or SMTP, so why wait.  This is on my
> personal server.  Here where I work, we're even more strict.

I had a similar set up, but it was quite clunky. Following advise from
this list and others I now firewall port 22 to a few locations (e.g.
work), and also run ssh on a high port.

This doesn't necessarily make things any safer, but has reduced my log
noise drastically.

Regards,

Richard Jones

-- 
http://www.jonze.com