Thousands of ssh probes Friday, March 5, 2010 1:54 PM From: "John" <j...@starfire.mn.org> To: freebsd-questions@freebsd.org My nightly security logs have thousands upon thousands of ssh probes in them. One day, over 6500. This is enough that I can actually "feel" it in my network performance. Other than changing ssh to a non-standard port - is there a way to deal with these? Every day, they originate from several different IP addresses, so I can't just put in a static firewall rule. Is there a way to get ssh to quit responding to a port or a way to generate a dynamic pf rule in cases like this? --
John Lind j...@starfire.mn.org ************************************************************************************************* Hi John, I'm using pf as a firewall on FreeBSD. I used this handy website: http://www.bgnett.no/~peter/pf/en/bruteforce.html and especially this part: max-src-conn is the number of simultaneous connections you allow from one host. In this example, I've set it at 100, in your setup you may want a slightly higher or lower value. max-src-conn-rate is the rate of new connections allowed from any single host, here 15 connections per 5 seconds. Again, you are the one to judge what suits your setup. I then looked at ssh itself. Key-based authentication only is what I'm allowing on my network now and I have put the AllowUsers directive in my sshd_config. At the moment I'm so paranoid that I'm reading into this Mandatory Access Control part of the handbook as well. Good luck,Dino _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
