On 05/03/10 13:54, John wrote:
My nightly security logs have thousands upon thousands of ssh probes
in them. One day, over 6500. This is enough that I can actually
"feel" it in my network performance. Other than changing ssh to
a non-standard port - is there a way to deal with these? Every
day, they originate from several different IP addresses, so I can't
just put in a static firewall rule. Is there a way to get ssh
to quit responding to a port or a way to generate a dynamic pf
rule in cases like this?
This is a frequent question on the list, search the archives. Basically
there are few things that you can do:
1. limit the access to a range of IPs, for example, even if you travel a
lot you go to al limited number of countries, why permit access from
other continents?
2. limit access to certain users, there is no need to allow games or
root user to authenticate via ssh. Use AllowUsers or AllowGroups to
restrict access to real users.
3. limit the amount of concurrent non-authenticated connections, number
of failed attempts and similar.
4. prohibit password authentication.
If the problem is that these attacks consume significant bandwidth then
moving your service to a different port may be a good solution, but if
your concern is security, then the above is more effective.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
