From owner-freebsd-security@FreeBSD.ORG  Sat Sep 18 22:28:20 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E490316A4CE
	for <freebsd-security@freebsd.org>;
	Sat, 18 Sep 2004 22:28:20 +0000 (GMT)
Received: from moek.pir.net (moek.pir.net [130.64.1.215])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8614343D2F
	for <freebsd-security@freebsd.org>;
	Sat, 18 Sep 2004 22:28:20 +0000 (GMT)	(envelope-from pir@pir.net)
Received: from pir by moek.pir.net with local (Exim)
	id 1C8ngq-0001IJ-0u
	for freebsd-security@freebsd.org; Sat, 18 Sep 2004 18:28:20 -0400
Date: Sat, 18 Sep 2004 18:28:19 -0400
From: Peter Radcliffe <pir@pir.net>
To: "freebsd-security@FreeBSD.ORG" <freebsd-security@freebsd.org>
Message-ID: <20040918222819.GG20449@pir.net>
Mail-Followup-To: "freebsd-security@FreeBSD.ORG"
	<freebsd-security@freebsd.org>
References: <414C2798.7060509@withagen.nl>
	<6917b781040918103077c76f0c@mail.gmail.com> <414CAC56.8020601@withagen.nl>
	<6917b781040918150446b7dada@mail.gmail.com> <414CB5EF.7080901@withagen.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <414CB5EF.7080901@withagen.nl>
User-Agent: Mutt/1.4.2i
X-fish: <darwin><
X-Copy-On-Listmail: Please do NOT Cc: me on list mail.
Subject: Re: Attacks on ssh port
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: freebsd-security@freebsd.org
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Sep 2004 22:28:21 -0000

Willem Jan Withagen <wjw@withagen.nl> probably said:
> I also have portsentry in a rather sensitive mode doing exactly the same 
> thing.
> Trigger one of  the "backdoor" ports, and you're out of my game.

The general problm with this type of reactive filtering is that if
someone can spoof the source addresses effectively or cause a connection
from a legitimate host you've just DoSed yourself...

Personally I only allow ssh from known legitimate sources and block the
rest so the "noise" is in a completely different list.

P.

-- 
pir