Thousands of ssh probes

[dacoder]

+++ Erik Norgaard [06/03/10 02:44 +0100]:
>On 05/03/10 13:54, John wrote:
>>My nightly security logs have thousands upon thousands of ssh probes
>>in them.  One day, over 6500.  This is enough that I can actually
>>"feel" it in my network performance.  Other than changing ssh to
>>a non-standard port - is there a way to deal with these?  Every
>>day, they originate from several different IP addresses, so I can't
>>just put in a static firewall rule.  Is there a way to get ssh
>>to quit responding to a port or a way to generate a dynamic pf
>>rule in cases like this?
>
>This is a frequent question on the list, search the archives. Basically 
>there are few things that you can do:
>
>1. limit the access to a range of IPs, for example, even if you travel a 
>lot you go to al limited number of countries, why permit access from 
>other continents?
>
>2. limit access to certain users, there is no need to allow games or 
>root user to authenticate via ssh. Use AllowUsers or AllowGroups to 
>restrict access to real users.
>
>3. limit the amount of concurrent non-authenticated connections, number 
>of failed attempts and similar.
>
>4. prohibit password authentication.
>
>If the problem is that these attacks consume significant bandwidth then 
>moving your service to a different port may be a good solution, but if 
>your concern is security, then the above is more effective.
>
>BR, Erik
>
>-- 
>Erik Nørgaard
>Ph: +34.666334818/+34.915211157                  http://www.locolomo.org
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

-- 
has anybody suggested having sshd listen on a high port?

regards,

david coder
network engineer emeritus, verio/ntt
telluride, co & washington, dc