Re: Automatic Firewall software?
On Fri, 2004-10-15 at 04:09, Vulpes Velox wrote: Doesn't Portsentry ignore ports that have a service bound to them like the SSH daemon? In that case, it wouldn't help Brian's problem, since ssh is running, portsentry would ignore any attacks to port 22, right? Move it and the like to a non-common port if one can. :) Security by obscurity??? NO! There is a tiny little configuration file to change portsentries behaviour! So tell portsentry not to listen on used ports! Richard ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Automatic Firewall software?
Doesn't Portsentry ignore ports that have a service bound to them like the SSH daemon? In that case, it wouldn't help Brian's problem, since ssh is running, portsentry would ignore any attacks to port 22, right? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Automatic Firewall software?
Frankly I hadn't thought of that. You can configure portsentry to monitor any port *and* to ignore certain hosts, so I would think it could monitor port 22 although I haven't tested it personally. --On Thursday, October 14, 2004 02:07:24 PM -0500 Peter Pauly [EMAIL PROTECTED] wrote: Doesn't Portsentry ignore ports that have a service bound to them like the SSH daemon? In that case, it wouldn't help Brian's problem, since ssh is running, portsentry would ignore any attacks to port 22, right? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Automatic Firewall software?
On Thu, 14 Oct 2004 14:07:24 -0500 Peter Pauly [EMAIL PROTECTED] wrote: Doesn't Portsentry ignore ports that have a service bound to them like the SSH daemon? In that case, it wouldn't help Brian's problem, since ssh is running, portsentry would ignore any attacks to port 22, right? Move it and the like to a non-common port if one can. :) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Automatic Firewall software?
--On Wednesday, October 13, 2004 10:04:24 AM -0400 Brian J. McGovern [EMAIL PROTECTED] wrote: Rather than having to hang over my machine is there any software out there that will monitor logs (e.g. /var/log/messages), parse out failed logins like this, and run an ipfw command to block it? Perhaps something can be done via PAM? Yes. Look at the Sentry Tools project at Sourceforge. (http://sourceforge.net/projects/sentrytools/) In particular, portsentry will do exactly what you want. It will throw up a temporary rule in ipfw blocking the host. (I say temporary because when you restart ipfw it will go away.) It will also add the host to your /etc/hosts.allow file, blocking it permanently from accessing privileged services. An added extra bonus would be if it would unblock after some period of time, in case a legit. user bungles their password, and can't get in (saves the service call). It won't do that, but you can just run ipfw show and then delete the rule. Then you can add that host to the portsentry.ignore file, and it will never happen again. (Or you can do it proactively if you know the hosts or networks your users will be coming from.) I've been using it for years. Works very well, but be careful. On a large server with lots of activity, you probably want to start by not blocking anything until you're comfortable with your ignore file. I also use logsentry on a number of hosts. Very nice program. Both are well written and quite mature. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]