Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 25 Oct 2004 21:32:52 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        FreeBSD Questions <freebsd-questions@FreeBSD.org>
Subject:   Re: moving to 5.3 and need help understanding firewalls
Message-ID:  <20041025203252.GA1356@happy-idiot-talk.infracaninophile.co.uk>
In-Reply-To: <20041025161403.GB57087@keyslapper.org>
References:  <20041025161403.GB57087@keyslapper.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--BXVAT5kNtrzKuDFl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Oct 25, 2004 at 12:14:03PM -0400, Louis LeBlanc wrote:
=20
> I had thought about this one a bit though, and figured that it would be
> a simple translation to the external network:
> ${fwcmd} add pass log tcp from any to ${ip} 22 setup limit src-addr 4
> But I never put it in because I don't understand exactly what it will
> do.

What that does is limit you to having no more than 4 remote SSH
sessions running concurrently from any particular source address.
This can't stop probing of your port 22, but it might slow it down
some.

Hmmm...  perhaps you might find something more like:

${fwcmd} add pass log tcp from any to ${ip} 22 setup limit dst-port 22

more effective.  That limits you to no more than four incoming SSH
sessions in total.

However, the most effective defense is either to move the port sshd(8)
listens on, or to prevent people logging in using passwords at all --
key based auth is a lot more secure all round, or use one-time
passwords.  See sshd_config(8) (particularly the description of the
ChallengeResponseAuthentication and PasswordAuthentication commands),
ssh-keygen(1), pam_unix(8) and opie(4).

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--BXVAT5kNtrzKuDFl
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBfWL0iD657aJF7eIRAjFTAKCzbj3HqggqCoeazfv48iKPmrVWagCdHBm2
ONcJjeRUXbKpRW3NWYh/qBY=
=2wtt
-----END PGP SIGNATURE-----

--BXVAT5kNtrzKuDFl--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041025203252.GA1356>