Thousands of ssh probes

Erik Norgaard norgaard at
Sat Mar 6 01:44:17 UTC 2010

On 05/03/10 13:54, John wrote:
> My nightly security logs have thousands upon thousands of ssh probes
> in them.  One day, over 6500.  This is enough that I can actually
> "feel" it in my network performance.  Other than changing ssh to
> a non-standard port - is there a way to deal with these?  Every
> day, they originate from several different IP addresses, so I can't
> just put in a static firewall rule.  Is there a way to get ssh
> to quit responding to a port or a way to generate a dynamic pf
> rule in cases like this?

This is a frequent question on the list, search the archives. Basically 
there are few things that you can do:

1. limit the access to a range of IPs, for example, even if you travel a 
lot you go to al limited number of countries, why permit access from 
other continents?

2. limit access to certain users, there is no need to allow games or 
root user to authenticate via ssh. Use AllowUsers or AllowGroups to 
restrict access to real users.

3. limit the amount of concurrent non-authenticated connections, number 
of failed attempts and similar.

4. prohibit password authentication.

If the problem is that these attacks consume significant bandwidth then 
moving your service to a different port may be a good solution, but if 
your concern is security, then the above is more effective.

BR, Erik

Erik Nørgaard
Ph: +34.666334818/+34.915211157        

More information about the freebsd-questions mailing list