Re: Limiting ssh access: by MAC Address?

[Tim Woodall <debianuser@woodall.me.uk>]

On Wed, 4 Jan 2023, Jeffrey Walton wrote:

> The preauth scheme does not hide the service like your TOTP scheme.
> However, it looks like both schemes achieve the same thing - they both
> avoid the costly key exchange. Avoiding the key exchange is a big win
> since those public key operations are so costly.

My scheme doesn't remove the need for any auth. What it does do is limit
the noise in the logs. Given that the DNS query won't come from the same
address as the intended connection you have to open the service to
everything temporarily.

I was getting anything from thousands to hundreds of thousands of login
attempts per day on a service that didn't accept passwords.

I now have an aggressive firewall policy that blocks any ip that sends
three SYN that dont get an ACK in an hour.  (with a couple of ports that
will remove a ban where external connections are expected)
Roughly 300 ips got added yesterday and 30 managed to remove themselves.
(incoming connections are totally blocked from china, russia and a
handful of other countries along with some netblocks that I've manually
added)

My quick grep of the firewall logs suggests than I'm seeing 10x as many
attempts to connect to telnet than I am to ssh so I guess ssh is finally
becoming secured from password guessing and people are giving up on
trying (except possibly targetted attacks on servers that accept
passwords)

I'm also, as far as possible, moving to ipv6. That also cuts down on the
noise a lot.

So hiding services just isn't as valuable to me now as it was four years
ago. I'm still generating 40MB of firewall logs a day that get backed up
though.