Defending against SSH attacks with pf

Bill Moran wmoran at
Wed Apr 25 12:45:02 UTC 2007

In response to Christopher Hilton <chris at>:

> Erik Osterholm wrote:
> > On Sun, Apr 15, 2007 at 08:02:55PM -0400, Bill Moran wrote:
> >> There was some discussion on this list not too long ago, and someone
> >> asked if I was willing to make my pf config and the associated scripts
> >> I wrote for it public.  I would have posted on the original thread,
> >> but I can't find it now.
> >>
> >> Here is the information:
> >>
> >>
> First: I'm not sure if the group got to it and I'm posting to a very 
> stale thread here but I've found that the best way to defeat these 
> password scanning ssh bots is to disallow passwords allowing 
> public/private key authentication in their stead. Unfortunately this 
> isn't always possible. Bill's method is a very close second.

I'm a big fan of PKI, but PKI suffers from one major problem, and it's
the same flaw that physical keys suffer from: you have to have the key
with you.

With a password, I'm always guaranteed to have access.  Just give me any
computer that has an SSH client available.  With PKI, I'm hosed if I don't
have a copy of my private key on a jump drive or something.

I'm always torn because of this.  I really like the added security of PKI,
but history has taught me that I'll need access at a critical time when
I _don't_ have a key with me.  As a result, I've decided to use password
auth on this particular server.

> Second: I love the simplicity of the stateless firewall rules in Bill's 
> pf.conf. I may have to look at implementing that here.

I'm not 100% sure, but I believe the disadvantage of the stateless approach
is that pf can't do packet normalization without state.  Thus a scrub
statement will have no effect on stateless traffic.  Again, in my case
I have enough faith in FreeBSD's TCP stack that I've deemed this an
acceptable risk.  If you're using pf to protect a bunch of Windows servers,
you may want to reconsider stateless rules.

Bill Moran

More information about the freebsd-questions mailing list