Firewall and SSH
iam new to pfsense. I need help regarding my logs and firewall/ssh. I think iam being attacked. But not sure. I dont want to post details here can someone PM me.
If you have an ssh daemon that is reachable by anyone from the internet on the standard TCP port 22 you can expect it to be brute force password attacked on well known user accounts.
Is that what you are seeing?
yes iam. i am requiring keys now. and now iam seeing them trying to get into accounts that dont exist. Like guest, user, mysql….
@gderf u think the keys are fine, or i should disable SSH from the WAN. and only allow it via VPN.
Keys are better than passwords but that will not stop the brute force attacks.
guest, user, mysql, among others, are the well known user accounts I mentioned.
If you change the port away from TCP 22 you will almost certainly reduce the attacks, quite possibly eliminate them altogether. I'm sure someone will say that this suggestion is "security by obscurity" and that it doesn't work. But if you want your log file quieted down dramatically, changing the port will accomplish that.
If you do not need wide open access, then by all means restrict it further.
Keys won't stop brute force attacks, but they make them a useless effort. I'd keep SSH restricted to a few trusted IPs at most, and require a VPN besides that. If you have to leave SSH open to the world for some reason, and don't want to deal with the log noise of idiots hammering away trying passwords on something that doesn't accept passwords, put it on a different port.