Date: Fri, 05 Mar 2010 21:58:57 -0600 From: Tim Daneliuk <tundra@tundraware.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Thousands of ssh probes Message-ID: <4B91D301.9060606@tundraware.com> In-Reply-To: <4B91B36D.1020507@locolomo.org> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B91B36D.1020507@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/5/2010 7:44 PM, Erik Norgaard wrote: > On 05/03/10 13:54, John wrote: >> My nightly security logs have thousands upon thousands of ssh probes >> in them. One day, over 6500. This is enough that I can actually >> "feel" it in my network performance. Other than changing ssh to >> a non-standard port - is there a way to deal with these? Every >> day, they originate from several different IP addresses, so I can't >> just put in a static firewall rule. Is there a way to get ssh >> to quit responding to a port or a way to generate a dynamic pf >> rule in cases like this? > > This is a frequent question on the list, search the archives. Basically > there are few things that you can do: > > 1. limit the access to a range of IPs, for example, even if you travel a > lot you go to al limited number of countries, why permit access from > other continents? > > 2. limit access to certain users, there is no need to allow games or > root user to authenticate via ssh. Use AllowUsers or AllowGroups to > restrict access to real users. > > 3. limit the amount of concurrent non-authenticated connections, number > of failed attempts and similar. > > 4. prohibit password authentication. > > If the problem is that these attacks consume significant bandwidth then > moving your service to a different port may be a good solution, but if > your concern is security, then the above is more effective. > > BR, Erik > I solved this problem a slightly different way with dynamic TCP wrapper control: http://www.tundraware.com/Software/tperimeter/ -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B91D301.9060606>