[nycbug-talk] SSH attacks

Andy Kosela akosela at andykosela.com
Wed Sep 10 14:57:04 EDT 2008


On Wed, Sep 10, 2008 at 8:09 PM, Yarema <yds at coolrat.org> wrote:
>
> I was just thinking that I need to look into Juniper stuff in case a
> client requests a commercially supported firewall.  In my situation I
> don't see what Juniper can do that I can't with the two CARPed FreeBSD
> firewalls I'm running.  Juniper is based on FreeBSD after all.

Yes, Juniper Netscreen line is impressive. We are running two of them
in an active-passive cluster, works like a charm. There are many
advantages of running hardware based firewalls like Juniper Netscreen,
or Checkpoint; the most obvious is that they can handle far more load
than PC's and I'm talking here about millions of packets per second.
Although small companies can do very well with OpenBSD/FreeBSD
solution.

And matter of fact, Netscreen is *NOT* based on FreeBSD. That's
completely different technology which they call ScreenOS. Actually
they acquired this technology when they bought Netscreen company.
JunOS which runs on their routers is based on FreeBSD though.

>
> Based on what I've seen in the logs, the problem with these attacks is
> that not that I'm worried of a successful break in.  It's the
> overwhelming resource clogging they cause.

Yes, brute force attacks are very seldom successful, but to minimize
the load it's wise just to limit allowable connection to specific
hosts/subnets. Even restricting access to a wide mask can dramatically
reduce the load.

-- 
Andy Kosela
ora et labora



More information about the talk mailing list