On Mon, May 03, 2010 at 11:39:33AM -0500, John wrote: > Hi, Matthew. Indeed, yes, you may not recall, but my rules are > based on a set that I originally got from you, and I do, in fact, > have a white list, which I should have mentioned, but some of my > users are "road warriors" and could be coming from virtually anywhere. > You're right, though - it's time to look into alternatives to > password-based authenticaion. I think I've taken password-based > protection and rate adaptive rules to their logical limit.
Depending on the platforms these people use, you might find OpenVPN useful. It has some excellent features for protecting against the sort of attack you are seeing, if you use the default UDP transport. The setup is really quite simple, and it runs on *BSD, Linux, Mac OS X and Windows (probably others, but I've never needed to use it anywhere but the 4 listed). You can then allow users on the VPN to access ssh, along with the whitelisted addresses already in your pf tables. I've been using this setup for a while, and am very happy with it. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \
pgp0XwSmfa6js.pgp
Description: PGP signature