Defending against SSH attacks with pf
Bill Moran
wmoran at potentialtech.com
Wed Apr 25 12:45:02 UTC 2007
In response to Christopher Hilton <chris at vindaloo.com>:
> Erik Osterholm wrote:
> > On Sun, Apr 15, 2007 at 08:02:55PM -0400, Bill Moran wrote:
> >> There was some discussion on this list not too long ago, and someone
> >> asked if I was willing to make my pf config and the associated scripts
> >> I wrote for it public. I would have posted on the original thread,
> >> but I can't find it now.
> >>
> >> Here is the information:
> >> http://www.potentialtech.com/cms/node/16
> >>
>
> First: I'm not sure if the group got to it and I'm posting to a very
> stale thread here but I've found that the best way to defeat these
> password scanning ssh bots is to disallow passwords allowing
> public/private key authentication in their stead. Unfortunately this
> isn't always possible. Bill's method is a very close second.
I'm a big fan of PKI, but PKI suffers from one major problem, and it's
the same flaw that physical keys suffer from: you have to have the key
with you.
With a password, I'm always guaranteed to have access. Just give me any
computer that has an SSH client available. With PKI, I'm hosed if I don't
have a copy of my private key on a jump drive or something.
I'm always torn because of this. I really like the added security of PKI,
but history has taught me that I'll need access at a critical time when
I _don't_ have a key with me. As a result, I've decided to use password
auth on this particular server.
> Second: I love the simplicity of the stateless firewall rules in Bill's
> pf.conf. I may have to look at implementing that here.
I'm not 100% sure, but I believe the disadvantage of the stateless approach
is that pf can't do packet normalization without state. Thus a scrub
statement will have no effect on stateless traffic. Again, in my case
I have enough faith in FreeBSD's TCP stack that I've deemed this an
acceptable risk. If you're using pf to protect a bunch of Windows servers,
you may want to reconsider stateless rules.
--
Bill Moran
http://www.potentialtech.com
More information about the freebsd-questions
mailing list