From owner-freebsd-questions@FreeBSD.ORG Thu Sep 9 15:00:36 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C201B16A4CF for ; Thu, 9 Sep 2004 15:00:36 +0000 (GMT) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FE8843D5F for ; Thu, 9 Sep 2004 15:00:36 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) i89F11W75960; Thu, 9 Sep 2004 08:01:02 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: , Date: Thu, 9 Sep 2004 08:00:31 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <200409081235.20615.m.hauber@mchsi.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Importance: Normal Subject: RE: Tar pitting automated attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2004 15:00:36 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mike Hauber > Sent: Wednesday, September 08, 2004 9:35 AM > To: freebsd-questions@freebsd.org > Subject: Re: Tar pitting automated attacks > > > I realize this is probably a dumb question (I quietly drop > everything incoming unless it's keep-state, and I only > allow ssh internally)... > > If you're needing to ssh to your machine from a limited > range of IPs, then why not tell your PF to drop incoming > unless it's within that range? Yes, that is how it is usually done. But the OP's goal was to tie up the attacker's resources so the attacker cannot go and bang on other people. Blocking access to the ssh port to most of the Internet actually helps the attacker, because the attacker will attempt to open a connection, and 5 minutes later when the connection open has still not completed, the attacker will mark off that IP and continue onto attacking the next person. So it comes down to what do you want - if you want to clean your logs and not be attacked, then use port filtering, otherwise if you want to waste attackers resources, make sure your ssh port is available, and use good passwords so an attack won't succeed. tarpitting is equivalent to port filtering from the attackers point of view - they know how to detect a tar pit and will move on and not get stuck in it. Ted