Jeremy Chadwick wrote:
You naturally have to keep pf.conf.ssh-* in sync if you have multiple machines. You can use pfsync(4) to accomplish this task (I think), or you can do it the obvious way (make a central distribution box that scp/rsync's the files out and runs "/etc/rc.d/pf reload").
pfsync sychronises the dynamic state sessions between machines -- ie.
basically what you see by doing 'pfctl -ss' It doesn't as far as I
know synchronise table contents even if the table changes are themselves
dynamically generated in response to traffic. rsync is your friend
here.
As for blocking based on geographical source of IPs -- I see where
you're coming from, but you've missed out one of the largest
territories that is the source of this sort of thing, namely the
USA.
The best strategy IMHO is to foil the automated password guessers
but not using passwords. SSH key based auth works nicely, is easy to
setup and use and is unfeasible to break by trial and error across a
remote network connection. Using firewall blocking on top of this
is still useful (to reduce the noise in the log files and stop system
resources being sucked up by SSH's crypto requirements) but it shouldn't
be a necessity.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
