Thousands of ssh probes

John john at starfire.mn.org
Fri Mar 5 15:44:42 UTC 2010 

On Fri, Mar 05, 2010 at 10:19:09AM -0500, mikel king wrote:
> 
> On Mar 5, 2010, at 8:26 AM, John wrote:
> 
> >On Fri, Mar 05, 2010 at 07:03:53AM -0600, Programmer In Training  
> >wrote:
> >>On 03/05/10 06:54, John wrote:
> >>>My nightly security logs have thousands upon thousands of ssh probes
> >>>in them.  One day, over 6500.  This is enough that I can actually
> >>>"feel" it in my network performance.  Other than changing ssh to
> >>>a non-standard port - is there a way to deal with these?  Every
> >>>day, they originate from several different IP addresses, so I can't
> >>>just put in a static firewall rule.  Is there a way to get ssh
> >>>to quit responding to a port or a way to generate a dynamic pf
> >>>rule in cases like this?
> >>
> >>Can you not deny all ssh attempts and then allow only from certain,
> >>trusted IPs?
> >
> >Ah, I should have added that I travel a fair amount, and often
> >have to get to my systems via hotel WiFi or Aircard, so it's
> >impossible to predict my originating IP address in advance.  If
> >that were not the case, this would be an excellent suggestion.
> 
> Way back about 10 years ago, I was playing around with IPFW a lot. I  
> wrote a script to update IPFW from changes made to a MySql db. It was  
> a just for fun project, that turned out to be rather useful I have  
> some developers that I managed who like you were road warriors. They  
> logged in to the https web page w/ their username and password which  
> grabbed their IP address and stored it in a table on with their login  
> id.
> 
> The script called fud (for firewall update daemon) connected to the db  
> and ran a query to check for any rule changes. If there were it would  
> apply them to the rule set and clear the change flag. Using this  
> combination I was able to allow ssh access only to the necessary ip  
> addresses.
> 
> I kind of scrapped it when VPNs became easier to deploy and I have no  
> idea where this set of scripts are now, but it would be rather trivial  
> to build a new version.
> 
> If anyone thinks it's worth revisiting hit me off list.

Maybe I'll have to learn how to do a VPN from FreeBSD....

One thought that occurs to me is that pf tables would provide a
direct API without having to hit a database.

I think I really like this.  I may have to implement it for pf. 
It should be really easy with CGI and calls to pfctl.
-- 

John Lind
john at starfire.MN.ORG

More information about the freebsd-questions mailing list