Re: securing SSH, FBSD systems

Mon, 23 May 2005 08:09:02 -0700

Is there an effective way to manage that list? I mean, it seems to me that you'd be adding mass routes to /etc/rc.conf. How are you going about this.
Otherwise, it sounds like very good advice. Of course, I tend to manage a hardware firewall in front of any of my machines, so the blackholing should really occur there. I wonder if that technique works under Linux as well? I have the WRT54G running DD-WRT in front of several so-ho boxes. That would be a very efficient method as opposed to ipchains. Not to mention easier to manage reading my firewall rules. ;) 

On Sun, 22 May 2005, Francisco Reyes wrote:


On Sun, 22 May 2005, Chris wrote:


5. (and my favorite) If running IPFW, use something like this if you
don't need ssh open to the whole of the internet. narrow it down to a
range of IP's you need.



6. Don't use passwords at all, but use keys. Not always possible though, but 
possibly one of the better methods.


I personally use a combo
1- Use an AllowUsers clause
2- Every time I see script kiddies I black hole their IPs.


I black hole them not only because of ssh, but because, just as they tried to 
attack ssh the same IPs may try other attacks. I try and stay up to date in 
patches, but it can not hurt to block known compromised/hacker machines. The 
IPs can be listed either in the firewall or using

route add -host <hacker ip> 127.0.0.1 -blackhole


I was told that this method of blackholing was more efficient when using a 
long list of IPs becaues IPFW looks at a linear list while the route list was 
some sort of tree which is more efficient to search.



Over time.. my list of blackholed IPs is 300+ and growing. Every week I add 
anywhere from 2 to 10 new IPs. :-(



Besides ssh I also look for machines trying to attack the web server.. ie a 
machine looking for files in c:\winnt or any other window directory is a sure 
sign of a compromised wmachine ith a virus/worm trying to infect more 
machines.

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to