Oliver Fromme wrote:
[ snip ]
In general that's not a good idea. If you do it wrong, it
makes DoS attacks against your machine easier (i.e. a clever
attacker might be able to lock yourself out of your own
machine). And getting it right is not easy.
The best way to prevent brute-forcing is to use good pass-
words, or -- even better -- don't use passwords at all, but
key authentication or OTP (SKey / OPIE).
Another thing that you can do is to move the sshd to a non-
standard port (i.e. something other than 22). Attackers
who look for machines for brute-forcing usually scan
networks for port 22 only. However, note that using a
non-standard port does _not_ make your machine more secure
(that would rather be "security by obscurity"). It only
prevents your machine from appearing in standard ssh scans,
so it gets rid of almost all of the "ssh login failures"
in your daily run output which result from such attempts.
First, I want to second Oliver's advice. If it's at all possible switch
to using public keys for authentication with ssh and disallow password
authentication. This completely stops the brute forcing attacks from
filling up your periodic security mail.
Second, and I know that you are using ipfw, I use pf with the following
config:
table <blackhole> persist
## Allow people into the ssh server but if they are just wasting my time
then
## blackhole them.
block in quick from <blackhole>
pass in on $ext_if proto tcp to $ext_if port 22 flags S/SA keep state \
(max-src-conn-rate 5/60, overload <blackhole> flush global)
This automatically adds addresses to the blackhole table if they try to
initiate connections to ssh at a rate of more than 5 connects per minute.
Oliver's warning applies here also. Using spoofing, someone could force
an arbitrary IP address into the blackhole table and make my life
difficult. Awareness of that hole is an important part of using this
tactic as a part of your security profile.
-- Chris
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
