Can I prevent SSH attacks on machines on private LAN behind my pfsense box?
Probably newbie question, so apologies.
I have a number of public IPs mapped to my pfsense box which sits between the 'net and my private (192.168.1.0/24) LAN. I use port forwarding to forward service requests on the public IPs to the relevant private boxes.
Everything is working well - many many thanks for a great product!
My problem is that a number of my publicly exposed SSH boxes have the usual and entirely expected hack attempts. My question is how can I get these private VMs to inform the pfsense box about it? The pfsense box is running snort and denyhosts but it only monitors the pfsense box itself.
Is there an automated way in which all the private VMs can inform the pfsense box about a dodgy host? Without this I see two options:
- install an IDS on every box with a public service (i.e. SSH in this case) exposed
- create a 'blacklisted_IPs' alias and have the firewall block it
- hide all the SSH boxes and create a VPN
Neither of these are satisfactory - the second is just doomed to fail :)
What is the correct solution here when there are quite a few boxes?
Also, FYI these are all VMs on a XenServer 5.5 box. I have noticed one or two problems when I would lose all connectivity to the public IPs requiring a reboot of the pfsense box. This mainly happened when I tried to be clever about how many SSH attempts could be made in one minute….
Anyway, great tool! Thoughts welcome :)
The other option is to move ssh to a different port, such as 222, on all your boxes.
It won't get scanned by nearly as many (if any) such attempts, and you can keep it open.
Personally I block off all ssh from outside and connect via VPN before I can reach anything internal.