Date: Tue, 30 Sep 2008 06:44:36 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Jeremy Chadwick <koitsu@freebsd.org> Cc: freebsd-hackers@freebsd.org, Rich Healey <healey.rich@gmail.com> Subject: Re: SSH Brute Force attempts Message-ID: <48E1BCC4.60207@infracaninophile.co.uk> In-Reply-To: <20080930033033.GA35849@icarus.home.lan> References: <48E16E93.3090601@gmail.com> <20080930033033.GA35849@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigEEEA3B455F6A6CC0E3E3EBE6
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Jeremy Chadwick wrote:
> You naturally have to keep pf.conf.ssh-* in sync if you have multiple
> machines. You can use pfsync(4) to accomplish this task (I think), or
> you can do it the obvious way (make a central distribution box that
> scp/rsync's the files out and runs "/etc/rc.d/pf reload").
pfsync sychronises the dynamic state sessions between machines -- ie.
basically what you see by doing 'pfctl -ss' It doesn't as far as I
know synchronise table contents even if the table changes are themselves
dynamically generated in response to traffic. rsync is your friend
here.
As for blocking based on geographical source of IPs -- I see where
you're coming from, but you've missed out one of the largest
territories that is the source of this sort of thing, namely the
USA.
The best strategy IMHO is to foil the automated password guessers
but not using passwords. SSH key based auth works nicely, is easy to
setup and use and is unfeasible to break by trial and error across a
remote network connection. Using firewall blocking on top of this
is still useful (to reduce the noise in the log files and stop system
resources being sucked up by SSH's crypto requirements) but it shouldn't
be a necessity.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enigEEEA3B455F6A6CC0E3E3EBE6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkjhvMwACgkQ8Mjk52CukIxwxACeOoNj9nricxxjmuQ/xKGYNg5l
Il4An3TycEGLYvhpdl5O/lBZNtfV8HhB
=C98i
-----END PGP SIGNATURE-----
--------------enigEEEA3B455F6A6CC0E3E3EBE6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48E1BCC4.60207>