Re: IP Banning (Using IPFW)
On 2/9/06, Chris [EMAIL PROTECTED] wrote: On 07/02/06, David Scheidt [EMAIL PROTECTED] wrote: On Tue, Feb 07, 2006 at 12:40:22AM +0200, Atis wrote: On Sun, 5 Feb 2006 18:55:13 -0500 David Scheidt [EMAIL PROTECTED] wrote: Nonsense. There may be some people that only scan well-known ports, but it's much more common to scan every port on a machine. If you're running a server on a non-standard port, an attacker will find it. sure, but 99% of the time the machines attacking your server are zombies that do not care to do a full portscan. i suppose the purpose is to find other misconfigured, easy-to-hack computers on the network. by putting your services on non-standard ports you get rid of these mindless drones and don't pollute log files with useless garbage. now if somebody _does_ actually target your server in particular then this is definitely not the solution. anywayz, putting things on non-standard ports helps a lot, and is one of the first and easiest security measures an administrator may consider. Taking your clothes off and painting yourself blue is also one of the first and easiest security measures to consider. It's even more effective, too. I know of no machine that's been cracked that had a wheel naked and painted blue. I've seen lots running standard services on non-standard ports. Security through obscurity doesn't work, it makes tracking down other problems harder, and creates work to maintain non-standard configurations. I understand his point, I see 2 types of problems we have to deal with. The thousands of drones that scan for boxes that are vulnerable to a specific exploit, they will often scan ip ranges on a specific port and if its open see if its vulnerable. For these types of intruders chnging ports is very effective since you would simply be skipped past on their scan, for most of us 99% of attempted intrusions are zombie based or some script a kid has downloaded of the web. The argument against changing ports is of course when you have a persistent hacker who wants in, he will of course scan all the ports and find the service and this type of protection is nullified. In this scenario if you havent taken additional measures to secure the box then you may be in trouble, I personally move things like sshd of its normal port simply to stop my logs been flooded with brute force logins and since I am the only one who uses ssh there is no downside to it, I of course dont rely on this alone and keep my software up to date amongst other security measures it is simply an extra layer of skin on the onion. For things like httpd I keep on port 80 as I think moving the port of that is more hassle then its worth. I've seen someone mention how to move httpd to a non-reserved port (ie 8080), and let that change be transparent for the end-user by using ipf. I dont know how, though. Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Banning (Using IPFW)
On 07/02/06, David Scheidt [EMAIL PROTECTED] wrote: On Tue, Feb 07, 2006 at 12:40:22AM +0200, Atis wrote: On Sun, 5 Feb 2006 18:55:13 -0500 David Scheidt [EMAIL PROTECTED] wrote: Nonsense. There may be some people that only scan well-known ports, but it's much more common to scan every port on a machine. If you're running a server on a non-standard port, an attacker will find it. sure, but 99% of the time the machines attacking your server are zombies that do not care to do a full portscan. i suppose the purpose is to find other misconfigured, easy-to-hack computers on the network. by putting your services on non-standard ports you get rid of these mindless drones and don't pollute log files with useless garbage. now if somebody _does_ actually target your server in particular then this is definitely not the solution. anywayz, putting things on non-standard ports helps a lot, and is one of the first and easiest security measures an administrator may consider. Taking your clothes off and painting yourself blue is also one of the first and easiest security measures to consider. It's even more effective, too. I know of no machine that's been cracked that had a wheel naked and painted blue. I've seen lots running standard services on non-standard ports. Security through obscurity doesn't work, it makes tracking down other problems harder, and creates work to maintain non-standard configurations. I understand his point, I see 2 types of problems we have to deal with. The thousands of drones that scan for boxes that are vulnerable to a specific exploit, they will often scan ip ranges on a specific port and if its open see if its vulnerable. For these types of intruders chnging ports is very effective since you would simply be skipped past on their scan, for most of us 99% of attempted intrusions are zombie based or some script a kid has downloaded of the web. The argument against changing ports is of course when you have a persistent hacker who wants in, he will of course scan all the ports and find the service and this type of protection is nullified. In this scenario if you havent taken additional measures to secure the box then you may be in trouble, I personally move things like sshd of its normal port simply to stop my logs been flooded with brute force logins and since I am the only one who uses ssh there is no downside to it, I of course dont rely on this alone and keep my software up to date amongst other security measures it is simply an extra layer of skin on the onion. For things like httpd I keep on port 80 as I think moving the port of that is more hassle then its worth. Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Banning (Using IPFW)
On Sun, 5 Feb 2006 18:55:13 -0500 David Scheidt [EMAIL PROTECTED] wrote: Nonsense. There may be some people that only scan well-known ports, but it's much more common to scan every port on a machine. If you're running a server on a non-standard port, an attacker will find it. sure, but 99% of the time the machines attacking your server are zombies that do not care to do a full portscan. i suppose the purpose is to find other misconfigured, easy-to-hack computers on the network. by putting your services on non-standard ports you get rid of these mindless drones and don't pollute log files with useless garbage. now if somebody _does_ actually target your server in particular then this is definitely not the solution. anywayz, putting things on non-standard ports helps a lot, and is one of the first and easiest security measures an administrator may consider. Atis ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Banning (Using IPFW)
On Tue, Feb 07, 2006 at 12:40:22AM +0200, Atis wrote: On Sun, 5 Feb 2006 18:55:13 -0500 David Scheidt [EMAIL PROTECTED] wrote: Nonsense. There may be some people that only scan well-known ports, but it's much more common to scan every port on a machine. If you're running a server on a non-standard port, an attacker will find it. sure, but 99% of the time the machines attacking your server are zombies that do not care to do a full portscan. i suppose the purpose is to find other misconfigured, easy-to-hack computers on the network. by putting your services on non-standard ports you get rid of these mindless drones and don't pollute log files with useless garbage. now if somebody _does_ actually target your server in particular then this is definitely not the solution. anywayz, putting things on non-standard ports helps a lot, and is one of the first and easiest security measures an administrator may consider. Taking your clothes off and painting yourself blue is also one of the first and easiest security measures to consider. It's even more effective, too. I know of no machine that's been cracked that had a wheel naked and painted blue. I've seen lots running standard services on non-standard ports. Security through obscurity doesn't work, it makes tracking down other problems harder, and creates work to maintain non-standard configurations. David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Banning (Using IPFW)
I was wondering if there's some sort of port available that can actively ban IPs that try and bruteforce a service such as SSH or Telnet, by scanning the /var/log/auth.log log for Regex such as Illegal User or LOGIN FAILURES, and then using IPFW to essentially deny (ban) that IP for a certain period of time or possibly forever. I've seen a very useful one that works for linux (fail2ban), and was wondering if one exists for FreeBSD's IPFW? There are some in the ports, but you can write your own pretty easy too. The one thing I didn't like about the ones in the ports is the app was responsible for removing the rules after a set amount of time. Which could be a problem if that app crashed for some reason. You could lock yourself out permanently... Here's a quick perl script I wrote that does what you want... http://pastebin.com/540575 Combine that with these two crontab entries: 0-59/4 * * * * /sbin/ipfw delete 501 /dev/null 21 2-59/4 * * * * /sbin/ipfw delete 500 /dev/null 21 -philip ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IP Banning (Using IPFW)
I find this kind of approach is treating the symptom and not the cause. The basic problem is the services have well published port numbers and attackers beat on those known port numbers. A much simpler approach is to change the standard port numbers to some high order port number. See /etc/services SSH logon command allows for a port number and the same for telnet. Your remote users will be the only people knowing your selected port numbers for those services. This way a attackers port scan will show the well published port numbers as not open so they will pass on attacking those ports on your ip address. This way your bandwidth usage will be reduced as attackers find your ip address as having nothing of interest. This same kind of thing can also be done for port 80 by using the web forwarding function of Zoneedit pointing to different port for your web server. Only people coming to your site through dns will be forwarded to the correct port. The clear key here is attackers roll through a large range of ip address port scanning for open ports. By using nonstandard port numbers for your services you stop the attacker even finding you in the first place. good luck what ever you choose to do. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael A. Alestock Sent: Sunday, February 05, 2006 10:42 AM To: [EMAIL PROTECTED] Subject: IP Banning (Using IPFW) Importance: High Hello, I was wondering if there's some sort of port available that can actively ban IPs that try and bruteforce a service such as SSH or Telnet, by scanning the /var/log/auth.log log for Regex such as Illegal User or LOGIN FAILURES, and then using IPFW to essentially deny (ban) that IP for a certain period of time or possibly forever. I've seen a very useful one that works for linux (fail2ban), and was wondering if one exists for FreeBSD's IPFW? I've looked around in /usr/ports/security and /usr/ports/net but can't seem to find anything that closely resembles that. Your help would be greatly appreciated Thanks in advance! Michael A., USA... Loyal FreeBSD user since 2000. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Banning (Using IPFW)
On 2/5/06, fbsd_user [EMAIL PROTECTED] wrote: I find this kind of approach is treating the symptom and not the cause. The basic problem is the services have well published port numbers and attackers beat on those known port numbers. A much simpler approach is to change the standard port numbers to some high order port number. See /etc/services SSH logon command allows for a port number and the same for telnet. Your remote users will be the only people knowing your selected port numbers for those services. This way a attackers port scan will show the well published port numbers as not open so they will pass on attacking those ports on your ip address. This way your bandwidth usage will be reduced as attackers find your ip address as having nothing of interest. This same kind of thing can also be done for port 80 by using the web forwarding function of Zoneedit pointing to different port for your web server. Only people coming to your site through dns will be forwarded to the correct port. The clear key here is attackers roll through a large range of ip address port scanning for open ports. By using nonstandard port numbers for your services you stop the attacker even finding you in the first place. good luck what ever you choose to do. You just argued against yourself. If an attacker is genuinely interested in rooting someones box, that attacker will most likely portscan the box - And thereby discovering that you have assigned alternative port numbers to your services. Security through obscurity is a bad place to start. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael A. Alestock Sent: Sunday, February 05, 2006 10:42 AM To: [EMAIL PROTECTED] Subject: IP Banning (Using IPFW) Importance: High Hello, I was wondering if there's some sort of port available that can actively ban IPs that try and bruteforce a service such as SSH or Telnet, by scanning the /var/log/auth.log log for Regex such as Illegal User or LOGIN FAILURES, and then using IPFW to essentially deny (ban) that IP for a certain period of time or possibly forever. I've seen a very useful one that works for linux (fail2ban), and was wondering if one exists for FreeBSD's IPFW? I've looked around in /usr/ports/security and /usr/ports/net but can't seem to find anything that closely resembles that. Your help would be greatly appreciated Thanks in advance! Michael A., USA... Loyal FreeBSD user since 2000. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IP Banning (Using IPFW)
You missed to whole meaning. Attackers only scan for the published service port numbers, that is what is meant by portscan the box. Those high order port numbers are dynamically used during normal session conversation. So any response from those port numbers if an attacker scanned that high would be meaningless. Please check your facts before commenting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daniel A. Sent: Sunday, February 05, 2006 4:58 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; Michael A. Alestock Subject: Re: IP Banning (Using IPFW) On 2/5/06, fbsd_user [EMAIL PROTECTED] wrote: I find this kind of approach is treating the symptom and not the cause. The basic problem is the services have well published port numbers and attackers beat on those known port numbers. A much simpler approach is to change the standard port numbers to some high order port number. See /etc/services SSH logon command allows for a port number and the same for telnet. Your remote users will be the only people knowing your selected port numbers for those services. This way a attackers port scan will show the well published port numbers as not open so they will pass on attacking those ports on your ip address. This way your bandwidth usage will be reduced as attackers find your ip address as having nothing of interest. This same kind of thing can also be done for port 80 by using the web forwarding function of Zoneedit pointing to different port for your web server. Only people coming to your site through dns will be forwarded to the correct port. The clear key here is attackers roll through a large range of ip address port scanning for open ports. By using nonstandard port numbers for your services you stop the attacker even finding you in the first place. good luck what ever you choose to do. You just argued against yourself. If an attacker is genuinely interested in rooting someones box, that attacker will most likely portscan the box - And thereby discovering that you have assigned alternative port numbers to your services. Security through obscurity is a bad place to start. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael A. Alestock Sent: Sunday, February 05, 2006 10:42 AM To: [EMAIL PROTECTED] Subject: IP Banning (Using IPFW) Importance: High Hello, I was wondering if there's some sort of port available that can actively ban IPs that try and bruteforce a service such as SSH or Telnet, by scanning the /var/log/auth.log log for Regex such as Illegal User or LOGIN FAILURES, and then using IPFW to essentially deny (ban) that IP for a certain period of time or possibly forever. I've seen a very useful one that works for linux (fail2ban), and was wondering if one exists for FreeBSD's IPFW? I've looked around in /usr/ports/security and /usr/ports/net but can't seem to find anything that closely resembles that. Your help would be greatly appreciated Thanks in advance! Michael A., USA... Loyal FreeBSD user since 2000. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Banning (Using IPFW)
I know for a fact, that if a hacker wants to root a box, the first and least thing he does is to nmap -p1-65535 -Avv host And yeah, it does detect services on unusual ports. And regardless of what you say, assigning nondefault ports is security through obscurity. On 2/5/06, fbsd_user [EMAIL PROTECTED] wrote: You missed to whole meaning. Attackers only scan for the published service port numbers, that is what is meant by portscan the box. Those high order port numbers are dynamically used during normal session conversation. So any response from those port numbers if an attacker scanned that high would be meaningless. Please check your facts before commenting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daniel A. Sent: Sunday, February 05, 2006 4:58 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; Michael A. Alestock Subject: Re: IP Banning (Using IPFW) On 2/5/06, fbsd_user [EMAIL PROTECTED] wrote: I find this kind of approach is treating the symptom and not the cause. The basic problem is the services have well published port numbers and attackers beat on those known port numbers. A much simpler approach is to change the standard port numbers to some high order port number. See /etc/services SSH logon command allows for a port number and the same for telnet. Your remote users will be the only people knowing your selected port numbers for those services. This way a attackers port scan will show the well published port numbers as not open so they will pass on attacking those ports on your ip address. This way your bandwidth usage will be reduced as attackers find your ip address as having nothing of interest. This same kind of thing can also be done for port 80 by using the web forwarding function of Zoneedit pointing to different port for your web server. Only people coming to your site through dns will be forwarded to the correct port. The clear key here is attackers roll through a large range of ip address port scanning for open ports. By using nonstandard port numbers for your services you stop the attacker even finding you in the first place. good luck what ever you choose to do. You just argued against yourself. If an attacker is genuinely interested in rooting someones box, that attacker will most likely portscan the box - And thereby discovering that you have assigned alternative port numbers to your services. Security through obscurity is a bad place to start. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael A. Alestock Sent: Sunday, February 05, 2006 10:42 AM To: [EMAIL PROTECTED] Subject: IP Banning (Using IPFW) Importance: High Hello, I was wondering if there's some sort of port available that can actively ban IPs that try and bruteforce a service such as SSH or Telnet, by scanning the /var/log/auth.log log for Regex such as Illegal User or LOGIN FAILURES, and then using IPFW to essentially deny (ban) that IP for a certain period of time or possibly forever. I've seen a very useful one that works for linux (fail2ban), and was wondering if one exists for FreeBSD's IPFW? I've looked around in /usr/ports/security and /usr/ports/net but can't seem to find anything that closely resembles that. Your help would be greatly appreciated Thanks in advance! Michael A., USA... Loyal FreeBSD user since 2000. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Banning (Using IPFW)
On Sun, Feb 05, 2006 at 05:38:11PM -0500, fbsd_user wrote: You missed to whole meaning. Attackers only scan for the published service port numbers, that is what is meant by portscan the box. Those high order port numbers are dynamically used during normal session conversation. So any response from those port numbers if an attacker scanned that high would be meaningless. Please check your facts before commenting. Nonsense. There may be some people that only scan well-known ports, but it's much more common to scan every port on a machine. If you're running a server on a non-standard port, an attacker will find it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
