From owner-freebsd-questions@FreeBSD.ORG  Fri Mar  5 13:26:05 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CDEAA106566C
	for <freebsd-questions@freebsd.org>;
	Fri,  5 Mar 2010 13:26:05 +0000 (UTC)
	(envelope-from john@starfire.mn.org)
Received: from elwood.starfire.mn.org (starfire.skypoint.net [173.8.102.29])
	by mx1.freebsd.org (Postfix) with ESMTP id 978CD8FC15
	for <freebsd-questions@freebsd.org>;
	Fri,  5 Mar 2010 13:26:05 +0000 (UTC)
Received: from elwood.starfire.mn.org (john@localhost [127.0.0.1])
	by elwood.starfire.mn.org (8.14.3/8.14.3) with ESMTP id o25DQ4Ni015531; 
	Fri, 5 Mar 2010 07:26:04 -0600 (CST)
	(envelope-from john@elwood.starfire.mn.org)
Received: (from john@localhost)
	by elwood.starfire.mn.org (8.14.3/8.14.3/Submit) id o25DQ4fa015530;
	Fri, 5 Mar 2010 07:26:04 -0600 (CST) (envelope-from john)
Date: Fri, 5 Mar 2010 07:26:04 -0600
From: John <john@starfire.mn.org>
To: Programmer In Training <pit@joseph-a-nagy-jr.us>
Message-ID: <20100305132604.GC14774@elwood.starfire.mn.org>
References: <20100305125446.GA14774@elwood.starfire.mn.org>
	<4B910139.1080908@joseph-a-nagy-jr.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4B910139.1080908@joseph-a-nagy-jr.us>
User-Agent: Mutt/1.4.2.3i
Cc: freebsd-questions@freebsd.org
Subject: Re: Thousands of ssh probes
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2010 13:26:05 -0000

On Fri, Mar 05, 2010 at 07:03:53AM -0600, Programmer In Training wrote:
> On 03/05/10 06:54, John wrote:
> > My nightly security logs have thousands upon thousands of ssh probes
> > in them.  One day, over 6500.  This is enough that I can actually
> > "feel" it in my network performance.  Other than changing ssh to
> > a non-standard port - is there a way to deal with these?  Every
> > day, they originate from several different IP addresses, so I can't
> > just put in a static firewall rule.  Is there a way to get ssh
> > to quit responding to a port or a way to generate a dynamic pf
> > rule in cases like this?
> 
> Can you not deny all ssh attempts and then allow only from certain,
> trusted IPs?

Ah, I should have added that I travel a fair amount, and often
have to get to my systems via hotel WiFi or Aircard, so it's
impossible to predict my originating IP address in advance.  If
that were not the case, this would be an excellent suggestion.

> -- 
> Yours In Christ,
> 
> PIT
> Emails are not formal business letters, whatever businesses may want.
> Original content copyright under the OWL http://owl.apotheon.org
> Please do not CC me. If I'm posting to a list it is because I am subscribed.
-- 

John Lind
john@starfire.MN.ORG