Re: Banning ips for some time?
Christian, On Tue, 25 Jan 2005 you wrote: my servers sshd reports 30 to 50 failed root/operator/etc. logins a day. I would like to block the incoming ip for a few days automaticly after e.g failed login requests. Currently I am using ipf, but it would be no problem to use any other FreeBSD firewall. For peace of mind, you can always use the AllowGroups, AllowUsers, PermitRootLogin, options in sshd_config to remove ssh access to root, uucp, operator, and other system accounts. I only permit ssh access to user accounts. The scripts which are making these login attempts are not typically going to try user accounts for obvious reasons. If you need off-site root access you should be using su or sudo bash anyway. I would recommend always turning off root access via ssh. ...Sandy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Banning ips for some time?
Sandy Rutherford wrote: Christian, On Tue, 25 Jan 2005 you wrote: my servers sshd reports 30 to 50 failed root/operator/etc. logins a day. I would like to block the incoming ip for a few days automaticly after e.g failed login requests. Currently I am using ipf, but it would be no problem to use any other FreeBSD firewall. For peace of mind, you can always use the AllowGroups, AllowUsers, PermitRootLogin, options in sshd_config to remove ssh access to root, uucp, operator, and other system accounts. I only permit ssh access to user accounts. The scripts which are making these login attempts are not typically going to try user accounts for obvious reasons. If you need off-site root access you should be using su or sudo bash anyway. I would recommend always turning off root access via ssh. ...Sandy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Thanks for the answer. You described roughly the way I run sshd by now. Christian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Banning ips for some time?
Christian Tischler writes: CT Hi, CT as I have an DSL line witch is 24/7 online (coming from an big and CT popular provider) my servers sshd reports 30 to 50 failed CT root/operator/etc. logins a day. I would like to block the incoming ip CT for a few days automaticly after e.g failed login requests. CT Currently I am using ipf, but it would be no problem to use any other CT FreeBSD firewall. CT This is not only for security reasons, but also to shorten the daily CT security run output :-) Do you have a need to access your server from the outside Net? If not, you can just block the SSH port entirely at the firewall (which is what I do). Almost doesn't count in securityland, so as long as the logins are failing, they're not a security risk, just a nuisance. -- Anthony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Banning ips for some time?
Anthony Atkielski wrote: Christian Tischler writes: CT Hi, CT as I have an DSL line witch is 24/7 online (coming from an big and CT popular provider) my servers sshd reports 30 to 50 failed CT root/operator/etc. logins a day. I would like to block the incoming ip CT for a few days automaticly after e.g failed login requests. CT Currently I am using ipf, but it would be no problem to use any other CT FreeBSD firewall. CT This is not only for security reasons, but also to shorten the daily CT security run output :-) Do you have a need to access your server from the outside Net? If not, you can just block the SSH port entirely at the firewall (which is what I do). Almost doesn't count in securityland, so as long as the logins are failing, they're not a security risk, just a nuisance. I do need the ssh access. Christian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Banning ips for some time?
Christian Tischler wrote: as I have an DSL line witch is 24/7 online (coming from an big and popular provider) my servers sshd reports 30 to 50 failed root/operator/etc. logins a day. I would like to block the incoming ip for a few days automaticly after e.g failed login requests. Currently I am using ipf, but it would be no problem to use any other FreeBSD firewall. This is not only for security reasons, but also to shorten the daily security run output :-) Q: Do you think that you will see new attempts from the same ip in one of the following days? A: Likely not the same ip - but posibly from the same block of ip's = won't help much to block specific ip's. Q: Do you consider it plausible that after a few days legitimate connections will originate from those ip's? A: Likely not, but if so, you have no way of predicting from which ip and when = if you need open access, then blocking temporary will block legitimate connections, if not, then opening again will open for ilegitimate connections. Q: Is your system more vulnerable after failed login attempts to non existent accounts? A: Your system will only be more vulnerable if you can assume the attacker will come back and continue from where he left off. But, changing passwords will not help, unless you choose something that has been tested and you know he will not test the same password twice. Conclusion: If you can setup fixed rules for where legitimate connections will originate, do so and block everything else. Otherwise, all attempts to improve security or shorten the security daily will fail. I have a script that may help you create country based rules: http://www.daemonsecurity.com/src/ip-rules.pl Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Banning ips for some time?
Christian Tischler [EMAIL PROTECTED] writes: as I have an DSL line witch is 24/7 online (coming from an big and popular provider) my servers sshd reports 30 to 50 failed root/operator/etc. logins a day. I would like to block the incoming ip for a few days automaticly after e.g failed login requests. As others have said, this is probably more of a nuisance issue than a security issue. Anyway, this was discussed recently on undeadly.org (aka OpenBSD Journal). The discussion, which offers some interesting input (some of it OpenBSD specific or at least requiring pf), is available at http://undeadly.org/cgi?action=articlesid=20041231195454 Then again, at least in some cases, the people listed in the whois info for the offending IP appreciate a politely worded notification. Quite likely they do not want this kind of activity either. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Banning ips for some time?
On Tuesday 25 January 2005 01:18 am, Christian Tischler [EMAIL PROTECTED] wrote: Hi, as I have an DSL line witch is 24/7 online (coming from an big and popular provider) my servers sshd reports 30 to 50 failed root/operator/etc. logins a day. I would like to block the incoming ip for a few days automaticly after e.g failed login requests. Currently I am using ipf, but it would be no problem to use any other FreeBSD firewall. This is not only for security reasons, but also to shorten the daily security run output :-) Some people have already provided good suggestions, and this isn't something to worry about unless someone does get in, but the easiest way to prevent this from happening is to make sshd listen on a different port, preferably a high-numbered one. Then, you close port 22 on your firewall and open the one you designated for sshd, and you login to that port from the other machine with ssh. Also, can you go without logins, i.e., can you go entirely with key-based authentication? That can help, too, as well as preventing root from logging in remotely or to ssh (a user in wheel can su), but changing the port often stops attempted ssh logins entirely. - jt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]