Thousands of ssh probes

mikel king mikel.king at olivent.com
Fri Mar 5 15:19:21 UTC 2010 

On Mar 5, 2010, at 8:26 AM, John wrote:

> On Fri, Mar 05, 2010 at 07:03:53AM -0600, Programmer In Training  
> wrote:
>> On 03/05/10 06:54, John wrote:
>>> My nightly security logs have thousands upon thousands of ssh probes
>>> in them.  One day, over 6500.  This is enough that I can actually
>>> "feel" it in my network performance.  Other than changing ssh to
>>> a non-standard port - is there a way to deal with these?  Every
>>> day, they originate from several different IP addresses, so I can't
>>> just put in a static firewall rule.  Is there a way to get ssh
>>> to quit responding to a port or a way to generate a dynamic pf
>>> rule in cases like this?
>>
>> Can you not deny all ssh attempts and then allow only from certain,
>> trusted IPs?
>
> Ah, I should have added that I travel a fair amount, and often
> have to get to my systems via hotel WiFi or Aircard, so it's
> impossible to predict my originating IP address in advance.  If
> that were not the case, this would be an excellent suggestion.

Way back about 10 years ago, I was playing around with IPFW a lot. I  
wrote a script to update IPFW from changes made to a MySql db. It was  
a just for fun project, that turned out to be rather useful I have  
some developers that I managed who like you were road warriors. They  
logged in to the https web page w/ their username and password which  
grabbed their IP address and stored it in a table on with their login  
id.

The script called fud (for firewall update daemon) connected to the db  
and ran a query to check for any rule changes. If there were it would  
apply them to the rule set and clear the change flag. Using this  
combination I was able to allow ssh access only to the necessary ip  
addresses.

I kind of scrapped it when VPNs became easier to deploy and I have no  
idea where this set of scripts are now, but it would be rather trivial  
to build a new version.

If anyone thinks it's worth revisiting hit me off list.

Cheers,
Mikel King
CEO, Olivent Technologies
Senior Editor, BSD News Network
Columnist, BSD Magazine
6 Alpine Court,
Medford, NY 11763
o: 631.627.3055 c: 631.796.1499
skype:mikel.king
http://olivent.com
http://www.linkedin.com/in/mikelking
http://twitter.com/mikelking

More information about the freebsd-questions mailing list