Date: Tue, 30 Sep 2008 06:44:36 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Jeremy Chadwick <koitsu@freebsd.org> Cc: freebsd-hackers@freebsd.org, Rich Healey <healey.rich@gmail.com> Subject: Re: SSH Brute Force attempts Message-ID: <48E1BCC4.60207@infracaninophile.co.uk> In-Reply-To: <20080930033033.GA35849@icarus.home.lan> References: <48E16E93.3090601@gmail.com> <20080930033033.GA35849@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigEEEA3B455F6A6CC0E3E3EBE6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Jeremy Chadwick wrote: > You naturally have to keep pf.conf.ssh-* in sync if you have multiple > machines. You can use pfsync(4) to accomplish this task (I think), or > you can do it the obvious way (make a central distribution box that > scp/rsync's the files out and runs "/etc/rc.d/pf reload"). pfsync sychronises the dynamic state sessions between machines -- ie. basically what you see by doing 'pfctl -ss' It doesn't as far as I know synchronise table contents even if the table changes are themselves dynamically generated in response to traffic. rsync is your friend here. As for blocking based on geographical source of IPs -- I see where you're coming from, but you've missed out one of the largest territories that is the source of this sort of thing, namely the USA. The best strategy IMHO is to foil the automated password guessers but not using passwords. SSH key based auth works nicely, is easy to setup and use and is unfeasible to break by trial and error across a remote network connection. Using firewall blocking on top of this is still useful (to reduce the noise in the log files and stop system resources being sucked up by SSH's crypto requirements) but it shouldn't be a necessity. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigEEEA3B455F6A6CC0E3E3EBE6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkjhvMwACgkQ8Mjk52CukIxwxACeOoNj9nricxxjmuQ/xKGYNg5l Il4An3TycEGLYvhpdl5O/lBZNtfV8HhB =C98i -----END PGP SIGNATURE----- --------------enigEEEA3B455F6A6CC0E3E3EBE6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48E1BCC4.60207>