On Mar 5, 2010, at 8:26 AM, John wrote:
On Fri, Mar 05, 2010 at 07:03:53AM -0600, Programmer In Training
wrote:
On 03/05/10 06:54, John wrote:
My nightly security logs have thousands upon thousands of ssh probes
in them. One day, over 6500. This is enough that I can actually
"feel" it in my network performance. Other than changing ssh to
a non-standard port - is there a way to deal with these? Every
day, they originate from several different IP addresses, so I can't
just put in a static firewall rule. Is there a way to get ssh
to quit responding to a port or a way to generate a dynamic pf
rule in cases like this?
Can you not deny all ssh attempts and then allow only from certain,
trusted IPs?
Ah, I should have added that I travel a fair amount, and often
have to get to my systems via hotel WiFi or Aircard, so it's
impossible to predict my originating IP address in advance. If
that were not the case, this would be an excellent suggestion.
Way back about 10 years ago, I was playing around with IPFW a lot. I
wrote a script to update IPFW from changes made to a MySql db. It was
a just for fun project, that turned out to be rather useful I have
some developers that I managed who like you were road warriors. They
logged in to the https web page w/ their username and password which
grabbed their IP address and stored it in a table on with their login
id.
The script called fud (for firewall update daemon) connected to the db
and ran a query to check for any rule changes. If there were it would
apply them to the rule set and clear the change flag. Using this
combination I was able to allow ssh access only to the necessary ip
addresses.
I kind of scrapped it when VPNs became easier to deploy and I have no
idea where this set of scripts are now, but it would be rather trivial
to build a new version.
If anyone thinks it's worth revisiting hit me off list.
Cheers,
Mikel King
CEO, Olivent Technologies
Senior Editor, BSD News Network
Columnist, BSD Magazine
6 Alpine Court,
Medford, NY 11763
o: 631.627.3055 c: 631.796.1499
skype:mikel.king
http://olivent.com
http://www.linkedin.com/in/mikelking
http://twitter.com/mikelking
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
