openssh concerns
Marian Hettwer
MH at kernel32.de
Mon Oct 5 14:08:06 UTC 2009
Hej All,
olli hauer schrieb:
>>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
>>> provides a
>>> reasonably useful list of ports NOT to choose for an obscure ssh
>>> port.
>>>
>> In practice, you have no choice but to use someting like 443 or 8080,
>> because corporate firewalls often block everything but a small number
>> of
>> ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and
>> 8080
>> go through a transparent proxy)
>>
>
> This may work if the firewall does only port and no additional protocol
> filtering. For many products used in corporate envirion it is even
> possible to filter ssh v1, skype, stunnel, openvpn with a verry high
> success rate within the first packet's on the wire.
>
> In case for the ssh server take a look into this parameters
> - LoginGraceTime
> - MaxAuthTries
> - MaxSessions
> - MaxStartups
>
>
I think nobody mentioned the overload rules from pf(4). I keep away most
of the tried attempts by using it.
Setup is pretty easy:
table <ssh-spammer> persist
pass quick log proto { tcp, udp } from any to any port ssh label
"ssh-brute" \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 10/30, \
overload <ssh-spammer> flush global)
Obviously, read pf.conf(5) to check what you might want to configure WRT
max-src-conn and max-src-conn-rate.
These rules in combination with enforced key authentication should keep
your logfiles clean and your host secured.
No need to go to another tcp port.
Cheers,
Marian
More information about the freebsd-security
mailing list