sshguard pf

[Charlie Root]

On Tue, Nov 04, 2014 at 10:31:42AM -0500, Lowell Gilbert wrote:
> Hasse Hansson <hasse at thorshammare.org> writes:
> 
> > I'm aware of changing port for ssh, but I see it as a little bit of "givingup"
> > Gotta be some rather easy way of just blocking those attacks. Other than blocking
> > whole of CN and half of Asia. I've tried that too. It stopped the attacks and gave
> > me some room to think it over.
> 
> Changing the port won't help you avoid attacks that might succeed, but
> it will substantially reduce the clutter that you need to look through.
> 
> I don't do it because I've had problems with paranoid networks blocking
> everything but a few special ports, where ssh is one of the allowed
> ones, but I don't know if anybody's still doing anything that silly.
> 
> > But I still wonder why sshguard or pf don't block those attacks.
> > shguard does it job on other probes, but not the root logins. PF doesn't seem
> > to do much at all.
> 
> Firewalls won't help detect the attack. They can be used to keep someone
> out once the attack has been detected. I don't know sshguard, so I can't
> tell you why it isn't working for you, but there certainly are ports
> that can do so. I use bruteblock, for example, but I know there are
> several other options that do the same thing.

Thank you all for your answers and effort to help.

I'm interested in trying out bruteblock, but a little bit confused. ( not unusual )

Do "bruteblock" require me to run ipfw2 as my firewall ?
<snip from pkg-descr>
Bruteblock is written in pure C, doesn't use any
external programs and work with ipfw2 tables via raw sockets API.
</snip>

/hasse
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20141104/bab696ad/attachment.sig>