From owner-freebsd-questions@FreeBSD.ORG Fri Mar 5 16:30:42 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0D4D106566B for ; Fri, 5 Mar 2010 16:30:42 +0000 (UTC) (envelope-from kdk@daleco.biz) Received: from ezekiel.daleco.biz (southernuniform.com [66.76.92.18]) by mx1.freebsd.org (Postfix) with ESMTP id 4CDD98FC1F for ; Fri, 5 Mar 2010 16:30:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by ezekiel.daleco.biz (8.14.3/8.14.2) with ESMTP id o25GUPYA043788; Fri, 5 Mar 2010 10:30:25 -0600 (CST) (envelope-from kdk@daleco.biz) X-Virus-Scanned: amavisd-new at daleco.biz Received: from ezekiel.daleco.biz ([127.0.0.1]) by localhost (ezekiel.daleco.biz [127.0.0.1]) (amavisd-new, port 10024) with LMTP id ggf7LhnZlc2w; Fri, 5 Mar 2010 10:30:23 -0600 (CST) Received: from archangel.daleco.biz (ezekiel.daleco.biz [66.76.92.18]) by ezekiel.daleco.biz (8.14.3/8.14.3) with ESMTP id o25GUFNM043782; Fri, 5 Mar 2010 10:30:18 -0600 (CST) (envelope-from kdk@daleco.biz) Message-ID: <4B913197.9000903@daleco.biz> Date: Fri, 05 Mar 2010 10:30:15 -0600 From: Kevin Kinsey User-Agent: Thunderbird 2.0.0.23 (X11/20090929) MIME-Version: 1.0 To: mikel king References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: John , freebsd-questions@freebsd.org, Programmer In Training Subject: Re: Thousands of ssh probes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 16:30:42 -0000 mikel king wrote: > > > Way back about 10 years ago, I was playing around with IPFW a lot. I > wrote a script to update IPFW from changes made to a MySql db. It was a > just for fun project, that turned out to be rather useful I have some > developers that I managed who like you were road warriors. They logged > in to the https web page w/ their username and password which grabbed > their IP address and stored it in a table on with their login id. > > The script called fud (for firewall update daemon) connected to the db > and ran a query to check for any rule changes. If there were it would > apply them to the rule set and clear the change flag. Using this > combination I was able to allow ssh access only to the necessary ip > addresses. > We use a similar approach but only rely on tcpwrappers. Here's what we do (simplified & obfuscated slightly), just for reference (or, maybe commentary :-D ) On server: [505] Fri 05.Mar.2010 10:21:37 [admin@foo][~] cat /etc/hosts.allow | grep sshd # Wrapping sshd(8) is not normally a good idea, but if you sshd: /var/tmp/skyangel.ip : allow sshd: all : deny On "skyangel": [13] Fri 05.Mar.2010 10:22:56 [admin@skyangel][~] sudo crontab -l |grep dhcp @reboot /usr/local/bin/php -q /root/scripts/dhcp.php * */4 * * * /usr/local/bin/php -q /root/scripts/dhcp.php "dhcp.php" uses lynx to dump a server-side HTTPS page and sends a secret in the URI. Server-side page is able to decrypt this and determine it's really "skyangel", then writes the connecting IP addy to /var/tmp/skyangel.ip. KDK