Date: Wed, 25 Apr 2007 08:44:54 -0400 From: Bill Moran <wmoran@potentialtech.com> To: Christopher Hilton <chris@vindaloo.com> Cc: User Questions <freebsd-questions@freebsd.org> Subject: Re: Defending against SSH attacks with pf Message-ID: <20070425084454.165dd9d3.wmoran@potentialtech.com> In-Reply-To: <462E7F2A.10202@vindaloo.com> References: <20070415200255.18e6ab3f.wmoran@potentialtech.com> <20070416184315.GA93730@idoru.cepheid.org> <462E7F2A.10202@vindaloo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In response to Christopher Hilton <chris@vindaloo.com>: > Erik Osterholm wrote: > > On Sun, Apr 15, 2007 at 08:02:55PM -0400, Bill Moran wrote: > >> There was some discussion on this list not too long ago, and someone > >> asked if I was willing to make my pf config and the associated scripts > >> I wrote for it public. I would have posted on the original thread, > >> but I can't find it now. > >> > >> Here is the information: > >> http://www.potentialtech.com/cms/node/16 > >> > > First: I'm not sure if the group got to it and I'm posting to a very > stale thread here but I've found that the best way to defeat these > password scanning ssh bots is to disallow passwords allowing > public/private key authentication in their stead. Unfortunately this > isn't always possible. Bill's method is a very close second. I'm a big fan of PKI, but PKI suffers from one major problem, and it's the same flaw that physical keys suffer from: you have to have the key with you. With a password, I'm always guaranteed to have access. Just give me any computer that has an SSH client available. With PKI, I'm hosed if I don't have a copy of my private key on a jump drive or something. I'm always torn because of this. I really like the added security of PKI, but history has taught me that I'll need access at a critical time when I _don't_ have a key with me. As a result, I've decided to use password auth on this particular server. > Second: I love the simplicity of the stateless firewall rules in Bill's > pf.conf. I may have to look at implementing that here. I'm not 100% sure, but I believe the disadvantage of the stateless approach is that pf can't do packet normalization without state. Thus a scrub statement will have no effect on stateless traffic. Again, in my case I have enough faith in FreeBSD's TCP stack that I've deemed this an acceptable risk. If you're using pf to protect a bunch of Windows servers, you may want to reconsider stateless rules. -- Bill Moran http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070425084454.165dd9d3.wmoran>