From owner-freebsd-questions@FreeBSD.ORG  Fri Mar  5 13:34:54 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3433F106566B
	for <freebsd-questions@freebsd.org>;
	Fri,  5 Mar 2010 13:34:54 +0000 (UTC) (envelope-from leslie@eskk.nu)
Received: from mail.gelita.se (212-162-182-244.skbbip.com [212.162.182.244])
	by mx1.freebsd.org (Postfix) with ESMTP id E6D1D8FC1A
	for <freebsd-questions@freebsd.org>;
	Fri,  5 Mar 2010 13:34:53 +0000 (UTC)
Received: from mail.gelita.se (localhost.gelita.se [127.0.0.1])
	by mail.gelita.se (Postfix) with ESMTP id 39C0810E77C;
	Fri,  5 Mar 2010 14:36:53 +0100 (CET)
X-Virus-Scanned: amavisd-new at troback.com
Received: from mail.gelita.se ([127.0.0.1])
	by mail.gelita.se (mail.gelita.se [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 5I51RrQFXMmh; Fri,  5 Mar 2010 14:36:46 +0100 (CET)
Received: from bljbsd01.no-ip.org (c-195-216-040-164.static.bjare.net
	[195.216.40.164])
	by mail.gelita.se (Postfix) with ESMTP id 0EE7B10E50A;
	Fri,  5 Mar 2010 14:36:46 +0100 (CET)
Message-ID: <4B910875.6070403@eskk.nu>
Date: Fri, 05 Mar 2010 14:34:45 +0100
From: Leslie Jensen <leslie@eskk.nu>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; sv-SE;
	rv:1.9.1.8) Gecko/20100302 Thunderbird/3.0.3
MIME-Version: 1.0
To: John <john@starfire.mn.org>, freebsd-questions@freebsd.org
References: <20100305125446.GA14774@elwood.starfire.mn.org>
In-Reply-To: <20100305125446.GA14774@elwood.starfire.mn.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: Re: Thousands of ssh probes
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2010 13:34:54 -0000



On 2010-03-05 13:54, John wrote:
> My nightly security logs have thousands upon thousands of ssh probes
> in them.  One day, over 6500.  This is enough that I can actually
> "feel" it in my network performance.  Other than changing ssh to
> a non-standard port - is there a way to deal with these?  Every
> day, they originate from several different IP addresses, so I can't
> just put in a static firewall rule.  Is there a way to get ssh
> to quit responding to a port or a way to generate a dynamic pf
> rule in cases like this?


I use the pf firewall with sshguard. You'll see from the daily security 
how well it blocks :-)

/Leslie