From owner-freebsd-questions@FreeBSD.ORG Fri Jun 3 18:02:16 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11B3A16A41C for ; Fri, 3 Jun 2005 18:02:16 +0000 (GMT) (envelope-from lists@natserv.com) Received: from mail1.acecape.com (mail1.acecape.com [66.114.74.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC18F43D48 for ; Fri, 3 Jun 2005 18:02:15 +0000 (GMT) (envelope-from lists@natserv.com) Received: from zoraida.natserv.net (p65-147.acedsl.com [66.114.65.147]) by mail1.acecape.com (8.12.11/8.12.11) with ESMTP id j53I22Z5011482; Fri, 3 Jun 2005 14:02:02 -0400 Date: Fri, 3 Jun 2005 14:02:01 -0400 (EDT) From: Francisco Reyes X-X-Sender: fran@zoraida.natserv.net To: fbsd_user In-Reply-To: Message-ID: <20050603135330.K13514@zoraida.natserv.net> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: FreeBSD Questions List Subject: RE: securing SSH, FBSD systems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jun 2005 18:02:16 -0000 On Fri, 3 Jun 2005, fbsd_user wrote: > I am running ipfilter firewall and I ran test to see who gets access > to the packet first (IE: firewall or route command). Normally I have > inbound FTP port 21 denied in my firewall. I changed that rule to > allow and log so I could see all the packets flow through. I had > buddy run FTP to my server over public internet. > > Pass-1. log shows passive ftp access to my server from public > internet. > Pass-2. First I issued route blackhole command on ip address of > friends system. Then had friend run same FTP access request to my > server. This time firewall log still shows inbound packet on port 21 > passing in and out but friends FTP session says connection error. > Pass-3. did route delete for ip address and had test rerun and ftp > worked like expected. > > > Conclusion. The route blackhole command gets control after being > allowed through firewall. Since IPFW and PF access the packet the > same way IPFilter does this hold true for all of them. This short answer is I don't know but it's possible it's the same. > The use of the route blankhole command is a specific solution for > circumstances where the stand public port number can not be changed > to some port number so it's not attacked. I now understand why it's > a perfect workaround for your ssh attack problem. Based on the feedback I got the route command uses a non linear type of database where as IPFW is just a linear list. My list of IPs to blackhole is around 400 and growing. That's why in my case I continue to use route/blackholing. > PS. I have been using the abuse-reporting-scripts to report this > kind of stuff to the ISP who owns the attackers IP address. This has > resulted in many ISP's terminating the attackers account. > You can download the abuse-reporting-scripts from > http://www.unixguide.net/freebsd/fbsd_installguide/index.php Thanks for the link. Didn't know about those, however I often check the IP of the attacker to see where in the world they are coming from and a large number of IPs are coming from china. Not sure how responsive the ISPs there will be.