can't you map ssh to a high port on the firewall? that way your
clients are the only ones that know the port. If a botnet manages to
find the port you can always change it to another one and inform your
clients.
On Nov 29, 2008, at 16:37, Sandro wrote:
Hi everyone,
I don't know how many of you have noticed this, but my mailserver
has become
the victim of what seems to be a new kind of dictionary attack. I'm
seeing
connections from literally hundreds of different hosts, working as an
evident botnet, that connect via ssh and try various passwords.
While I'm
not terribly concerned with the password strength of most users who
have ssh
access (it's not many either), I'm still very irritated by this.
What makes
this a challenge to stop or block is the fact that each specific
host only
attempts to connect once every 4-5 hours usually, though in rare
instances,
it will connect every 1.5-2 hours.
What I've done this morning on the machine running pf to try and get
this
under control is setup a max-src-conn-rate rule of 2/4000, and setup a
redirect from the firewall/router running openbsd/pf to the
mailserver with
a pass rule so that I don't get blocked out of it myself! (Though the
mailserver is behind a router, it has a routable IP, making this
option
viable). My question is, will this seemingly HUGE time interval even
work in
pf?
Has anyone else seen this sort of thing, and what have you done to
mitigate
this? For the record, I know about ssh keys, and it's in fact setup
on
other machines, but for various reasons, I can't enable it just yet
on this
one.
