SSHguard & IPFW
smithi at nimnet.asn.au
Thu Oct 1 08:32:54 UTC 2015
On Thu, 1 Oct 2015 08:52:47 +0200, Nino J wrote:
> On Wed, Sep 30, 2015 at 7:58 PM, Ian Smith <smithi at nimnet.asn.au> wrote:
> > I'm more paranoid and only allow addresses in a table to access sshd's
> > port, with a couple of roaming users who need to check mail to update
> > their IP before login .. but this is great news for sshguard users.
> It's not necessarily paranoid. It depends on your risk assessment. I'm
> primarily defending against bruteforce attacks and sshguard effectively
> solves that. If I were concerned about possible vulnerability in sshd that
> would allow an attacker to bypass the login process or crash sshd on a
> machine where ssh access is critical, restricting access to known IPs only
> would be a perfectly reasonable solution.
Well I'm not as concerned about sshd vulnerabilities as I am about lots
of superfluous logging from (usually) oft-repeated drive-by attempts on
port 22, often across all 6 IPs of a /29. And yes, I prefer using port
22, despite the relief that using alternative ports does offer, mainly
to keep things simple for users. This way, all other hosts attempting
connections to port 22 simply vanish.
> On a side note, if I understood correctly, you're modifying IPFW rules
> based on a user successfully checking mail, basically a sort of
> port-knocking? Or I totally misinterpreted? :)
Yes, but not modifying the ruleset, just adding addresses to table(22).
This is done from a 5-minutely cron running a script that parses pop.log
for successful mailchecks by specified users from their nominated ISP/s,
adding their IP address with current timestamp to the table. Users know
the drill and it's worked without drama since 2007, although there's now
only one such login user (apart from me :) remaining in our little club.
Horses for courses; sshguard is surely a useful approach for hosts with
more users, where maintaining my ad-hoc solution would be more arduous.
More information about the freebsd-questions