Re: bruteforce protection howto

[Jamie Griffin]

 
 Two pc's:
 
 1 - router
 2 - logger
 
 Situation: someone tries to bruteforce into a server, and the logger
 get's a log about it [e.g.: ssh login failed].
 
 What's the best method to ban that ip [what is bruteforcig a server]
 what was logged on the logger?
 I need to ban the ip on the router pc.
 
 How can i send the bad ip to the router, to ban it?

I was asking about this earlier, I went with pf which is already in the base 
system and also making sshd more secure by using the options in 
/etc/ssh/sshd_config.

Have a look at `man 5 sshd_config` and there is loads of stuff on goodgle about 
this. So far, I really like what pf can do, check it out. `man pf.conf` and 
again there are lots of old posts on google, and the OpenBSD pf guide is good 
too:

 https://calomel.org/pf_config.html
 http://www.freebsd.org/doc/handbook/firewalls-pf.html
 http://www.openbsd.org/faq/pf/

   Jamie
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: bruteforce protection howto

[Erik Norgaard]

On 20/03/10 23:17, Vadkan Jozsef wrote:


What's the best method to ban that ip [what is bruteforcig a server]
what was logged on the logger?
I need to ban the ip on the router pc.


Take your time to think about if this is indeed the right solution.

1st: You need to decide which is the right policy to deploy. Basically 
you can opt for a default deny or a default allow. With default deny you 
create white lists for the exceptions that should be allows. With 
default allow you create black lists. Default deny and default allow 
roughly corresponds to the policies of OpenBSD vs. Microsoft Windows.


So, when is white listing an option? When you have a limited set of 
exceptions, for example your local users that need ssh access. If this 
set is limited consider deploying default deny. On the other hand, this 
is not an option for your web service that you wish to provide for 
anyone anywhere.


Blacklisting is futile (think, did anti-virus solve the virus problem?). 
Intruders may attempt to connect from anywhere, blocking a single IP 
won't solve your problem, most likely the next attempt will not come 
from that IP. This is because these attacks may be launched from a 
number of compromised pc's and because the attacking pc may have 
dynamically assigned address. So you need to block entire ranges, but 
which?


I recently analysed my maillog to see where attempted spammers connected 
from. I found some 3500 hosts in 1600 ranges (using whois lookup). These 
ranges being typically /16. I haven't tried with ssh but I doubt it 
would be much different.


If on top of this you make some auto-respond system, you expose yourself 
to a denial of service attack, blindly blocking anything that creates a 
log entry.


Whether you use white or black listing this is effective only if you can 
make informed decisions. If you don't do business with say China and you 
know that 25% of all spam originates from China, it is only rational to 
block access from China.


But, whenever possible, use white listing.

BR, Erik

--
Erik Nørgaard
Ph: +34.666334818/+34.915211157  http://www.locolomo.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org