Tobias Ulmer wrote:
This topic comes up in regular intervals of 6 month on every *nix
mailinglist i'm on.
It's stupid (sorry, but it is):
Gained "security" = 0%
Leave it just as it is. You don't have anything to fear anything if
you use decent passwords. Otherwise don't offer a ssh service!
I keep the following setup in my pf.conf for bandwidth/cpu, not
security, reasons:
---------
[...]
table <ssh-white> persist { 127.0.0.1, ... }
[...]
# Hosts in whitelist are always allowed to connect unlimited
# Non-whitelisted Linux hosts are blocked
# Allow other ssh connections with limited connection rate
pass in quick on $ext_if proto tcp from <ssh-white> to ($ext_if:0) \
port ssh keep state label "ssh-white"
block in quick on $ext_if proto tcp from any os Linux to ($ext_if:0) \
port ssh label "ssh-linux"
pass in quick on $ext_if proto tcp from any to ($ext_if) \
port ssh flags S/SA keep state (max-src-conn-rate 1/30) \
label "ssh-other"
[...]
---------
/Alexander
