On Monday 15 May 2006 18:07 Bill Marquette wrote: > On 5/15/06, GreenX FreeBSD <[EMAIL PROTECTED]> wrote: > > > I'd advise against what you're trying to do. It won't make your box > > > more secure. > > > > Why? > > Simply so, on ssh you will not come any more. > > If I am not mistaken, probability of that the scanner will begin the > > check with "key" port, > > and further at once will check up sshd is equal - 1 / (0xFFFF*0xFFFE). > > If he will not make itthis, he can be caught on max-src-conn-rate > > concerning public services, > > and to put for his forward from all ports on ssh localhost. > > And you always connect from a trusted network? Presumably the answer > to this is no, else you'd just put rules in to allow the trusted > network to connect. Port-knocking is security through obscurity at > it's best and at a minimum is wide open to replay attacks. > > If the concern is simply that you don't want someone brute forcing an > account, force the use of SSH authorized keys. Run a script watching > the logs for anyone failing logins and add those addresses to a block > list.
There is a nice and easy way to blocking ssh brute-force attempts with pf only: http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html Cheers, Vik -- PGP Key: 0xE09DC8D8/6799 4011 EBDE 6412 05A1 090C DBDF 5887 E09D C8D8 Signed/encrypted mail welcome!
pgpe8l99mKNeb.pgp
Description: PGP signature
