Cutting down on ssh breakin attempts
John Pettitt
jpp at cloudview.com
Mon Mar 14 23:18:01 PST 2005
Kyle Jensen wrote:
>Hi,
>
>I run a webmail server for a small company, which
>is (of course) running FreeBSD 5-stable. I get about
>50-100 failed loging attempts via ssh on a daily basis.
>
>Occasionally, these show up in my daily security digest
>with messages like:
>
>reverse mapping checking getaddrinfo for h169-210-68-8.a
>dcast.com.tw failed - POSSIBLE BREAKIN ATTEMPT!
>
>But mostly it's stuff like
>
>Illegal user postgres from 210.68.8.169
>
>What's the best way to cut down on these attempts?
>I thought about adding a blacklist to my pf.conf rules
>for the pf firewall.
>
>Any thoughts would be greatly appreciated!
>Kyle
>
>
>
Four suggestions:
1) If you know where your valid ssh logins are going to come from filter
out everything else.
2) If you haven't already done so switch to public key authentication on
ssh and disable password logins (doesn't stop the attempts but gives
peace of mind that they are not going to work)
3) Move your sshd to a non standard port (will stop the scripts and
scanners but won't make any difference to a good blackhat)
4) Implement a port knocking strategy (to much hassle in my view but YMMV)
More information about the freebsd-questions
mailing list