Date: Sun, 19 Sep 2004 00:44:33 +0200 From: Willem Jan Withagen <wjw@withagen.nl> To: freebsd-security@freebsd.org Subject: Re: Attacks on ssh port Message-ID: <414CBA51.4060502@withagen.nl> In-Reply-To: <20040918222819.GG20449@pir.net> References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> <414CAC56.8020601@withagen.nl> <6917b781040918150446b7dada@mail.gmail.com> <414CB5EF.7080901@withagen.nl> <20040918222819.GG20449@pir.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Radcliffe wrote: >Willem Jan Withagen <wjw@withagen.nl> probably said: > > >>I also have portsentry in a rather sensitive mode doing exactly the same >>thing. >>Trigger one of the "backdoor" ports, and you're out of my game. >> >> > >The general problm with this type of reactive filtering is that if >someone can spoof the source addresses effectively or cause a connection >from a legitimate host you've just DoSed yourself... > >Personally I only allow ssh from known legitimate sources and block the >rest so the "noise" is in a completely different list. > > I do too, on systems that are completly mine. But I had to "force" this customer to refrain from using ftp/telnet/... with plain open passwords. And access to this box is required from verious remote locations with yet unknown IPs. So I have little chances there. As far as I know, you need to go thru a lot of trouble to complete a spoofed full 3-way handshake just to get my maintenace IP-number blocked. Next to the fact that there is a rule before the blocked list which lets me in anyways.... :) --WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414CBA51.4060502>