Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 4 May 2010 12:16:04 +0100
From:      Daniel Bye <freebsd-questions@slightlystrange.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: pf suggestions for paced attack
Message-ID:  <20100504111604.GD33120@catflap.slightlystrange.org>
In-Reply-To: <20100503163933.GA15599@elwood.starfire.mn.org>
References:  <20100503144110.GA14402@elwood.starfire.mn.org> <4BDEF9E4.9020806@infracaninophile.co.uk> <20100503163933.GA15599@elwood.starfire.mn.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--JcvBIhDvR6w3jUPA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, May 03, 2010 at 11:39:33AM -0500, John wrote:
> Hi, Matthew.  Indeed, yes, you may not recall, but my rules are
> based on a set that I originally got from you, and I do, in fact,
> have a white list, which I should have mentioned, but some of my
> users are "road warriors" and could be coming from virtually anywhere.
> You're right, though - it's time to look into alternatives to
> password-based authenticaion.  I think I've taken password-based
> protection and rate adaptive rules to their logical limit.

Depending on the platforms these people use, you might find OpenVPN
useful. It has some excellent features for protecting against the sort
of attack you are seeing, if you use the default UDP transport. The
setup is really quite simple, and it runs on *BSD, Linux, Mac OS X and
Windows (probably others, but I've never needed to use it anywhere but
the 4 listed). You can then allow users on the VPN to access ssh, along
with the whitelisted addresses already in your pf tables. I've been
using this setup for a while, and am very happy with it.

Dan

--=20
Daniel Bye
                                                                     _
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \

--JcvBIhDvR6w3jUPA
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)

iEYEARECAAYFAkvgAfQACgkQixf5fBYiFmoysQCeMdo0qM+ZFS8jfrNiBtrFEoX/
WIUAn3VqnUEDenl4r0F8RXxLA1P0yfip
=7842
-----END PGP SIGNATURE-----

--JcvBIhDvR6w3jUPA--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100504111604.GD33120>