sshguard pf

[Lowell Gilbert]

Hasse Hansson <hasse at thorshammare.org> writes:

> I'm aware of changing port for ssh, but I see it as a little bit of "givingup"
> Gotta be some rather easy way of just blocking those attacks. Other than blocking
> whole of CN and half of Asia. I've tried that too. It stopped the attacks and gave
> me some room to think it over.

Changing the port won't help you avoid attacks that might succeed, but
it will substantially reduce the clutter that you need to look through.

I don't do it because I've had problems with paranoid networks blocking
everything but a few special ports, where ssh is one of the allowed
ones, but I don't know if anybody's still doing anything that silly.

> But I still wonder why sshguard or pf don't block those attacks.
> shguard does it job on other probes, but not the root logins. PF doesn't seem
> to do much at all.

Firewalls won't help detect the attack. They can be used to keep someone
out once the attack has been detected. I don't know sshguard, so I can't
tell you why it isn't working for you, but there certainly are ports
that can do so. I use bruteblock, for example, but I know there are
several other options that do the same thing.