In /var/log/auth.log today, I see:

Jul 19 04:37:21 dns sshd[5072]: Invalid user test from 211.154.254.73
Jul 19 04:37:22 dns sshd[5074]: Invalid user guest from 211.154.254.73
Jul 19 04:37:26 dns sshd[5080]: Invalid user user from 211.154.254.73

No authentication failures, just invalid user notifications.

FreeBSD has (for a while?) disabled simple "password" authentication in it's base sshd config. What does this mean? If client connects requesting only "password" authentication, it will be rejected. Period. Example:

dns(~) !255! % ssh -o "PreferredAuthentications password" happytest@dhcp
Permission denied (publickey,keyboard-interactive).

If you check /var/log/auth.log, you'll see:

Jul 19 06:10:32 dns sshd[5403]: Invalid user happytest from 192.168.0.252

However, try the same with a valid user. Nothing is logged (by default). Still, you are denied outright.

The important point, is that I guess pam_captcha is not necessary at this time. Every ssh client I have used has supported both public-key and keyboard-interactive authentication, so disabling 'password' everywhere should be a viable option. FreeBSD disables password auth by default, and no one seems to be complaining.

If you're worried about brute force attacks over ssh, then just disable 'password' authentication. In sshd_config:

PasswordAuthentication no

This probably requires that you use public-key or keyboard-interactive (PAM) to authenticate. Keeps normal users happy, and blocks brute force bots. That is, until the bot scripts are updated to use keyboard-interactive, perhaps? Who knows...

I've finally got non-free internet access. Prior to that, I was using Google's free wifi. Turns out there's a wireless node quite close to my apartment. To get online, I used my soekris net4501 w/ wireless card to associate to google's wifi. Google wifi rocks, it's so nice. Internally, I ran used dhcp and nat to provide multiple machines with network access through the soekris box, and thus google wifi. This worked quite well.

Now that I have Comcast, I can use the wireless card in the soekris as an access point, rather than a client. The setup is as follows:

• wired subnet: 192.168.0.0/24 (gateway on soekris)
• wireless subnet: 192.168.10.0/24 (gateway on soekris)
• vpn subnet: 192.168.1.0/24 (gateway is vpn server)
• vpn/dhcp/dns server running in FreeBSD on vmware on Windows
• dhcprelay on soekris relaying dhcp requests from wifi to wired.
• nat everything through the soekris box, which connects to Comcast
• dhcp with ddns so I don't have to remember IP addresses

So far, everything's working well. My new Dell (2.8gHz/1gig) runs vmware well. With Candice's help, I was able to get a poptop server going quite easily. Now I can vpn into my apartment from Windows and FreeBSD, which is good if I want an easy, secure connection while I'm on wifi. I'll post a howto about poptop+freebsd later.

The next step is to "secure" wireless. I don't care to block people, because someone will just get arond it. I plan on filtering unauthorized wireless access, limiting it so only ssh/http/https/icmp/dns and little else. Bandwidth-limited, ofcourse. My traffic is more important than yours!

After that, I'd like to automate network maintenance. That is, have a single script that will push changes to wherever is necessary: firewall, dhcp, dns, vpn, whatever. Then, perhaps some network optimizations such as a transparent squid proxy, etc.

I'm hoping that I can work on my pam_captcha research soon, too, now that I have a machine with a real IP online.

Doing this network setup has been quite the refresher on DNS, DHCP, et al. I'd prefer having this kind of crap documented, so I'll hopefully get around to writing an article about it.