SSH Brute Force attempts
Matthew Seaman
m.seaman at infracaninophile.co.uk
Tue Sep 30 05:44:52 UTC 2008
Jeremy Chadwick wrote:
> You naturally have to keep pf.conf.ssh-* in sync if you have multiple
> machines. You can use pfsync(4) to accomplish this task (I think), or
> you can do it the obvious way (make a central distribution box that
> scp/rsync's the files out and runs "/etc/rc.d/pf reload").
pfsync sychronises the dynamic state sessions between machines -- ie.
basically what you see by doing 'pfctl -ss' It doesn't as far as I
know synchronise table contents even if the table changes are themselves
dynamically generated in response to traffic. rsync is your friend
here.
As for blocking based on geographical source of IPs -- I see where
you're coming from, but you've missed out one of the largest
territories that is the source of this sort of thing, namely the
USA.
The best strategy IMHO is to foil the automated password guessers
but not using passwords. SSH key based auth works nicely, is easy to
setup and use and is unfeasible to break by trial and error across a
remote network connection. Using firewall blocking on top of this
is still useful (to reduce the noise in the log files and stop system
resources being sucked up by SSH's crypto requirements) but it shouldn't
be a necessity.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20080930/68d06f3c/signature.pgp
More information about the freebsd-hackers
mailing list