Thousands of ssh probes
Tim Daneliuk
tundra at tundraware.com
Sat Mar 6 03:59:07 UTC 2010
On 3/5/2010 7:44 PM, Erik Norgaard wrote:
> On 05/03/10 13:54, John wrote:
>> My nightly security logs have thousands upon thousands of ssh probes
>> in them. One day, over 6500. This is enough that I can actually
>> "feel" it in my network performance. Other than changing ssh to
>> a non-standard port - is there a way to deal with these? Every
>> day, they originate from several different IP addresses, so I can't
>> just put in a static firewall rule. Is there a way to get ssh
>> to quit responding to a port or a way to generate a dynamic pf
>> rule in cases like this?
>
> This is a frequent question on the list, search the archives. Basically
> there are few things that you can do:
>
> 1. limit the access to a range of IPs, for example, even if you travel a
> lot you go to al limited number of countries, why permit access from
> other continents?
>
> 2. limit access to certain users, there is no need to allow games or
> root user to authenticate via ssh. Use AllowUsers or AllowGroups to
> restrict access to real users.
>
> 3. limit the amount of concurrent non-authenticated connections, number
> of failed attempts and similar.
>
> 4. prohibit password authentication.
>
> If the problem is that these attacks consume significant bandwidth then
> moving your service to a different port may be a good solution, but if
> your concern is security, then the above is more effective.
>
> BR, Erik
>
I solved this problem a slightly different way with dynamic TCP wrapper
control:
http://www.tundraware.com/Software/tperimeter/
--
----------------------------------------------------------------------------
Tim Daneliuk tundra at tundraware.com
PGP Key: http://www.tundraware.com/PGP/
More information about the freebsd-questions
mailing list