From owner-freebsd-questions@FreeBSD.ORG Wed Apr 25 12:45:02 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5BD5F16A402 for ; Wed, 25 Apr 2007 12:45:02 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from mail.potentialtech.com (internet.potentialtech.com [66.167.251.6]) by mx1.freebsd.org (Postfix) with ESMTP id 2B97613C469 for ; Wed, 25 Apr 2007 12:45:02 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from vanquish.pgh.priv.collaborativefusion.com (pr40.pitbpa0.pub.collaborativefusion.com [206.210.89.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.potentialtech.com (Postfix) with ESMTP id 76E48EBC78; Wed, 25 Apr 2007 08:45:01 -0400 (EDT) Date: Wed, 25 Apr 2007 08:44:54 -0400 From: Bill Moran To: Christopher Hilton Message-Id: <20070425084454.165dd9d3.wmoran@potentialtech.com> In-Reply-To: <462E7F2A.10202@vindaloo.com> References: <20070415200255.18e6ab3f.wmoran@potentialtech.com> <20070416184315.GA93730@idoru.cepheid.org> <462E7F2A.10202@vindaloo.com> X-Mailer: Sylpheed 2.3.1 (GTK+ 2.10.11; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: User Questions Subject: Re: Defending against SSH attacks with pf X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Apr 2007 12:45:02 -0000 In response to Christopher Hilton : > Erik Osterholm wrote: > > On Sun, Apr 15, 2007 at 08:02:55PM -0400, Bill Moran wrote: > >> There was some discussion on this list not too long ago, and someone > >> asked if I was willing to make my pf config and the associated scripts > >> I wrote for it public. I would have posted on the original thread, > >> but I can't find it now. > >> > >> Here is the information: > >> http://www.potentialtech.com/cms/node/16 > >> > > First: I'm not sure if the group got to it and I'm posting to a very > stale thread here but I've found that the best way to defeat these > password scanning ssh bots is to disallow passwords allowing > public/private key authentication in their stead. Unfortunately this > isn't always possible. Bill's method is a very close second. I'm a big fan of PKI, but PKI suffers from one major problem, and it's the same flaw that physical keys suffer from: you have to have the key with you. With a password, I'm always guaranteed to have access. Just give me any computer that has an SSH client available. With PKI, I'm hosed if I don't have a copy of my private key on a jump drive or something. I'm always torn because of this. I really like the added security of PKI, but history has taught me that I'll need access at a critical time when I _don't_ have a key with me. As a result, I've decided to use password auth on this particular server. > Second: I love the simplicity of the stateless firewall rules in Bill's > pf.conf. I may have to look at implementing that here. I'm not 100% sure, but I believe the disadvantage of the stateless approach is that pf can't do packet normalization without state. Thus a scrub statement will have no effect on stateless traffic. Again, in my case I have enough faith in FreeBSD's TCP stack that I've deemed this an acceptable risk. If you're using pf to protect a bunch of Windows servers, you may want to reconsider stateless rules. -- Bill Moran http://www.potentialtech.com