Thousands of ssh probes
Erik Norgaard
norgaard at locolomo.org
Sat Mar 6 01:44:17 UTC 2010
On 05/03/10 13:54, John wrote:
> My nightly security logs have thousands upon thousands of ssh probes
> in them. One day, over 6500. This is enough that I can actually
> "feel" it in my network performance. Other than changing ssh to
> a non-standard port - is there a way to deal with these? Every
> day, they originate from several different IP addresses, so I can't
> just put in a static firewall rule. Is there a way to get ssh
> to quit responding to a port or a way to generate a dynamic pf
> rule in cases like this?
This is a frequent question on the list, search the archives. Basically
there are few things that you can do:
1. limit the access to a range of IPs, for example, even if you travel a
lot you go to al limited number of countries, why permit access from
other continents?
2. limit access to certain users, there is no need to allow games or
root user to authenticate via ssh. Use AllowUsers or AllowGroups to
restrict access to real users.
3. limit the amount of concurrent non-authenticated connections, number
of failed attempts and similar.
4. prohibit password authentication.
If the problem is that these attacks consume significant bandwidth then
moving your service to a different port may be a good solution, but if
your concern is security, then the above is more effective.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
More information about the freebsd-questions
mailing list