sshguard pf

[jd1008]

On 11/04/2014 12:36 PM, Charlie Root wrote:
> On Tue, Nov 04, 2014 at 10:31:42AM -0500, Lowell Gilbert wrote:
>> Hasse Hansson <hasse at thorshammare.org> writes:
>>
>>> I'm aware of changing port for ssh, but I see it as a little bit of "givingup"
>>> Gotta be some rather easy way of just blocking those attacks. Other than blocking
>>> whole of CN and half of Asia. I've tried that too. It stopped the attacks and gave
>>> me some room to think it over.
>> Changing the port won't help you avoid attacks that might succeed, but
>> it will substantially reduce the clutter that you need to look through.
>>
>> I don't do it because I've had problems with paranoid networks blocking
>> everything but a few special ports, where ssh is one of the allowed
>> ones, but I don't know if anybody's still doing anything that silly.
>>
>>> But I still wonder why sshguard or pf don't block those attacks.
>>> shguard does it job on other probes, but not the root logins. PF doesn't seem
>>> to do much at all.
>> Firewalls won't help detect the attack. They can be used to keep someone
>> out once the attack has been detected. I don't know sshguard, so I can't
>> tell you why it isn't working for you, but there certainly are ports
>> that can do so. I use bruteblock, for example, but I know there are
>> several other options that do the same thing.
> Thank you all for your answers and effort to help.
>
> I'm interested in trying out bruteblock, but a little bit confused. ( not unusual )
>
> Do "bruteblock" require me to run ipfw2 as my firewall ?
> <snip from pkg-descr>
> Bruteblock is written in pure C, doesn't use any
> external programs and work with ipfw2 tables via raw sockets API.
> </snip>
>
> /hasse

How about creating a firewall rule that allows ssh only  from known IP 
addresses,
in addition to changing the port number?
Yes, I know, IP addresses can be spoofed, but as Charlie says, it will 
reduce the
crap you have to deal with.