pf suggestions for paced attack
Daniel Bye
freebsd-questions at slightlystrange.org
Tue May 4 11:16:06 UTC 2010
On Mon, May 03, 2010 at 11:39:33AM -0500, John wrote:
> Hi, Matthew. Indeed, yes, you may not recall, but my rules are
> based on a set that I originally got from you, and I do, in fact,
> have a white list, which I should have mentioned, but some of my
> users are "road warriors" and could be coming from virtually anywhere.
> You're right, though - it's time to look into alternatives to
> password-based authenticaion. I think I've taken password-based
> protection and rate adaptive rules to their logical limit.
Depending on the platforms these people use, you might find OpenVPN
useful. It has some excellent features for protecting against the sort
of attack you are seeing, if you use the default UDP transport. The
setup is really quite simple, and it runs on *BSD, Linux, Mac OS X and
Windows (probably others, but I've never needed to use it anywhere but
the 4 listed). You can then allow users on the VPN to access ssh, along
with the whitelisted addresses already in your pf tables. I've been
using this setup for a while, and am very happy with it.
Dan
--
Daniel Bye
_
ASCII ribbon campaign ( )
- against HTML, vCards and X
- proprietary attachments in e-mail / \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20100504/0cba6fcf/attachment.pgp
More information about the freebsd-questions
mailing list