Date: Fri, 5 Mar 2010 11:09:22 -0800 (PST) From: Dino Vliet <dino_vliet@yahoo.com> To: john@starfire.mn.org Cc: freebsd-questions@freebsd.org Subject: Re: Thousands of ssh probes Message-ID: <359839.89221.qm@web51101.mail.re2.yahoo.com>
next in thread | raw e-mail | index | archive | help
Thousands of ssh probes Friday, March 5, 2010 1:54 PM From: "John" <john@starfire.mn.org> To: freebsd-questions@freebsd.org My nightly security logs have thousands upon thousands of ssh probes in them. One day, over 6500. This is enough that I can actually "feel" it in my network performance. Other than changing ssh to a non-standard port - is there a way to deal with these? Every day, they originate from several different IP addresses, so I can't just put in a static firewall rule. Is there a way to get ssh to quit responding to a port or a way to generate a dynamic pf rule in cases like this? -- John Lind john@starfire.MN.ORG ************************************************************************************************* Hi John, I'm using pf as a firewall on FreeBSD. I used this handy website: http://www.bgnett.no/~peter/pf/en/bruteforce.html and especially this part: max-src-conn is the number of simultaneous connections you allow from one host. In this example, I've set it at 100, in your setup you may want a slightly higher or lower value. max-src-conn-rate is the rate of new connections allowed from any single host, here 15 connections per 5 seconds. Again, you are the one to judge what suits your setup. I then looked at ssh itself. Key-based authentication only is what I'm allowing on my network now and I have put the AllowUsers directive in my sshd_config. At the moment I'm so paranoid that I'm reading into this Mandatory Access Control part of the handbook as well. Good luck,Dino
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?359839.89221.qm>