Date: Mon, 6 Feb 2006 00:47:42 +0100 From: "Daniel A." <ldrada@gmail.com> To: fbsd_user@a1poweruser.com Cc: questions@freebsd.org, "Michael A. Alestock" <michaela@maa-net.net> Subject: Re: IP Banning (Using IPFW) Message-ID: <5ceb5d550602051547s3fd29ac2lfe4a8053b76879d2@mail.gmail.com> In-Reply-To: <MIEPLLIBMLEEABPDBIEGIELNHMAA.fbsd_user@a1poweruser.com> References: <5ceb5d550602051357r27f07864lb408168902a68e12@mail.gmail.com> <MIEPLLIBMLEEABPDBIEGIELNHMAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I know for a fact, that if a hacker wants to root a box, the first and least thing he does is to nmap -p1-65535 -Avv host And yeah, it does detect services on unusual ports. And regardless of what you say, assigning nondefault ports is security through obscurity. On 2/5/06, fbsd_user <fbsd_user@a1poweruser.com> wrote: > You missed to whole meaning. > Attackers only scan for the published service port numbers, > that is what is meant by "portscan the box". > Those high order port numbers are dynamically > used during normal session conversation. > So any response from those port numbers if an > attacker scanned that high would be meaningless. > Please check your facts before commenting. > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Daniel A. > Sent: Sunday, February 05, 2006 4:58 PM > To: fbsd_user@a1poweruser.com > Cc: questions@freebsd.org; Michael A. Alestock > Subject: Re: IP Banning (Using IPFW) > > > On 2/5/06, fbsd_user <fbsd_user@a1poweruser.com> wrote: > > I find this kind of approach is treating the symptom and not the > > cause. > > The basic problem is the services have well published port numbers > > and attackers beat on those known port numbers. A much simpler > > approach is to change the standard port numbers to some high order > > port number. See /etc/services SSH logon command allows for a > port > > number and the same for telnet. Your remote users will be the only > > people knowing your selected port numbers for those services. This > > way a attackers port scan will show the well published port > numbers > > as not open so they will pass on attacking those ports on your ip > > address. This way your bandwidth usage will be reduced as > attackers > > find your ip address as having nothing of interest. > > > > This same kind of thing can also be done for port 80 by using the > > web forwarding function of Zoneedit pointing to different port for > > your web server. Only people coming to your site through dns will > be > > forwarded to the correct port. > > > > The clear key here is attackers roll through a large range of ip > > address port scanning for open ports. By using nonstandard port > > numbers for your services you stop the attacker even finding you > in > > the first place. > > > > good luck what ever you choose to do. > You just argued against yourself. If an attacker is genuinely > interested in rooting someones box, that attacker will most likely > portscan the box - And thereby discovering that you have assigned > alternative port numbers to your services. > Security through obscurity is a bad place to start. > > > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Michael > A. > > Alestock > > Sent: Sunday, February 05, 2006 10:42 AM > > To: questions@freebsd.org > > Subject: IP Banning (Using IPFW) > > Importance: High > > > > > > Hello, > > > > I was wondering if there's some sort of port available that can > > actively > > ban IPs that try and bruteforce a service such as SSH or Telnet, > by > > scanning the /var/log/auth.log log for Regex such as "Illegal > User" > > or > > "LOGIN FAILURES", and then using IPFW to essentially deny (ban) > that > > IP > > for a certain period of time or possibly forever. > > > > I've seen a very useful one that works for linux (fail2ban), and > was > > wondering if one exists for FreeBSD's IPFW? > > > > I've looked around in /usr/ports/security and /usr/ports/net but > > can't > > seem to find anything that closely resembles that. > > > > Your help would be greatly appreciated.... Thanks in advance! > > > > >> Michael A., USA... Loyal FreeBSD user since 2000. > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5ceb5d550602051547s3fd29ac2lfe4a8053b76879d2>