promt solution with max-src-conn-rate
Viktor Vasilev
viktor.vasilev at stud.tu-darmstadt.de
Mon May 15 16:23:28 UTC 2006
On Monday 15 May 2006 18:07 Bill Marquette wrote:
> On 5/15/06, GreenX FreeBSD <freebsd at azimut-tour.ru> wrote:
> > > I'd advise against what you're trying to do. It won't make your box
> > > more secure.
> >
> > Why?
> > Simply so, on ssh you will not come any more.
> > If I am not mistaken, probability of that the scanner will begin the
> > check with "key" port,
> > and further at once will check up sshd is equal - 1 / (0xFFFF*0xFFFE).
> > If he will not make itthis, he can be caught on max-src-conn-rate
> > concerning public services,
> > and to put for his forward from all ports on ssh localhost.
>
> And you always connect from a trusted network? Presumably the answer
> to this is no, else you'd just put rules in to allow the trusted
> network to connect. Port-knocking is security through obscurity at
> it's best and at a minimum is wide open to replay attacks.
>
> If the concern is simply that you don't want someone brute forcing an
> account, force the use of SSH authorized keys. Run a script watching
> the logs for anyone failing logins and add those addresses to a block
> list.
There is a nice and easy way to blocking ssh brute-force attempts with pf
only:
http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html
Cheers,
Vik
--
PGP Key: 0xE09DC8D8/6799 4011 EBDE 6412 05A1 090C DBDF 5887 E09D C8D8
Signed/encrypted mail welcome!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20060515/75c4d8d7/attachment.pgp
More information about the freebsd-pf
mailing list