From owner-freebsd-questions@FreeBSD.ORG Fri Jan 1 15:20:19 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8554F1065670 for ; Fri, 1 Jan 2010 15:20:19 +0000 (UTC) (envelope-from djr@pdconsec.net) Received: from ipmail03.adl2.internode.on.net (ipmail03.adl2.internode.on.net [203.16.214.135]) by mx1.freebsd.org (Postfix) with ESMTP id 114408FC0C for ; Fri, 1 Jan 2010 15:20:18 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEALqgPUuWZcBC/2dsb2JhbADHbgGKW4JJAYFnBA Received: from goliath.pdconsec.net (HELO smtp.pdconsec.net) ([150.101.192.66]) by ipmail03.adl2.internode.on.net with SMTP; 02 Jan 2010 01:50:17 +1030 Received: from mail1.pdconsec.net ([192.168.1.41] helo=mail1.pdconsec.net) with IPv4:25 by smtp.pdconsec.net; 2 Jan 2010 02:23:40 +1100 Received: from smtp.pdconsec.net ([192.168.1.32] RDNS failed) by mail1.pdconsec.net with Microsoft SMTPSVC(6.0.3790.3959); Sat, 2 Jan 2010 02:19:49 +1100 Received: from [10.14.6.41] ([150.101.192.69] helo=[10.14.6.41]) with IPv4:25 by smtp.pdconsec.net; 2 Jan 2010 02:23:39 +1100 Message-ID: <4B3E1295.9050902@pdconsec.net> Date: Sat, 02 Jan 2010 02:19:49 +1100 From: David Rawling User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0 MIME-Version: 1.0 To: "freebsd-questions@FreeBSD. ORG" References: <4B3E0D11.1080101@pdconsec.net> <4B3E0FBD.2010605@sbcglobal.net> In-Reply-To: <4B3E0FBD.2010605@sbcglobal.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 Jan 2010 15:19:49.0238 (UTC) FILETIME=[DBC76960:01CA8AF5] Subject: Re: Blocking a slow-burning SSH bruteforce X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jan 2010 15:20:19 -0000 On 2/01/2010 2:07 AM, J.D. Bronson wrote: > Few options I can think of in random order...I use #1: > > 1. Run SSH on an obscure port. Seriously, thats one of the easiest > things to do. Since I have done that, I have had ZERO attempts and it > works perfectly as long as users know the odd port. In fact, I dont > know anyone in our IT circle of friends that runs SSH on port 22. > > 2. Consider controlling/limiting access via 'pf' if your running 'pf'. > > Of course with your examples coming from all different IPs, thats not > likely gonna help much. > > 3. Just ignore it - they aren't getting in...similar to spammers being > rejected by RBLs....its traffic, but cant be a whole lot. > > 4. Limit login time window too...I run a very narrow window of time to > login and a LOW number of attempted logins per session. Darn. 1 is out because 22 is the one port that most organisations (including mine) allow out of their networks for administering routers. 2 is unfortunately not an option (as a consultant I do work from many networks) 4 - again I might have to log in any time ... 3 seems the best approach. Thanks for your thoughts, it's good to get second opinions. Dave. -- David Rawling PD Consulting And Security Mob: +61 412 135 513 Email: djr@pdconsec.net