openssh concerns
    Peter 
    fbsdq at peterk.org
       
    Tue Oct  6 05:31:33 UTC 2009
    
    
  
> Hej All,
>
> olli hauer schrieb:
>>>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
>>>> provides a
>>>> reasonably useful list of ports NOT to choose for an obscure ssh
>>>> port.
>>>>
>>> In practice, you have no choice but to use someting like 443 or 8080,
>>> because corporate firewalls often block everything but a small number
>>> of
>>> ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and
>>> 8080
>>> go through a transparent proxy)
>>>
>>
>> This may work if the firewall does only port and no additional protocol
>> filtering. For many products used in corporate envirion it is even
>> possible to filter ssh v1, skype, stunnel, openvpn with a verry high
>> success rate within the first packet's on the wire.
>>
>> In case for the ssh server take a look into this parameters
>> - LoginGraceTime
>> - MaxAuthTries
>> - MaxSessions
>> - MaxStartups
>>
>>
> I think nobody mentioned the overload rules from pf(4). I keep away most
> of the tried attempts by using it.
> Setup is pretty easy:
> table <ssh-spammer> persist
> pass quick log proto { tcp, udp } from any to any port ssh label
> "ssh-brute" \
>         flags S/SA keep state \
>         (max-src-conn 15, max-src-conn-rate 10/30, \
>         overload <ssh-spammer> flush global)
>
> Obviously, read pf.conf(5) to check what you might want to configure WRT
> max-src-conn and max-src-conn-rate.
>
> These rules in combination with enforced key authentication should keep
> your logfiles clean and your host secured.
> No need to go to another tcp port.
>
> Cheers,
> Marian
Or combine that with portknocking - Only open port 22 after X number of
attempts to connect on port 1234:
# Table for allowed IPs
#  [gets auto populated via portknocking]
table <portknock_ssh> persist
.
..
...
block #default block policy
# Allow everyone to hit 'any' on port '1234' - pf proxies tcp connection
#  [if not using 'synproxy', the connection is never established to
#    'overload' the rule]
#  5 attempts in 15 seconds
pass in log quick proto tcp from any to any port {1234} synproxy state \
  (max-src-conn-rate 5/15, overload <portknock_ssh>)
#Allow IPs that have been 'overload'ed into the portknock_ssh table
pass in log quick proto tcp from {<portknock_ssh>} to any port {ssh}
.
..
...
Then put a crontab on a per needed basis to expire all IPs in that table
that have not been referenced in 60 seconds:
*     *    *    *     * /sbin/pfctl -vt portknock_ssh -T expire 60
All established sessions will be kept alive, all new sessions will need to
portknock after the IP is cleared from table
]Peter[
    
    
More information about the freebsd-security
mailing list