Date: Thu, 4 Dec 2008 00:17:17 -0700 From: "Tim Judd" <tajudd@gmail.com> To: "Daniel Bye" <freebsd-questions@slightlystrange.org>, "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: Re: Firewalls using a DNSbl (and distributed ssh attacks) Message-ID: <ade45ae90812032317r63a6fd8fvba27a20d6d664cac@mail.gmail.com> In-Reply-To: <20081204025357.GD19575@torus.slightlystrange.org> References: <D6D13508-3ED2-4DF3-ACF4-F09EB64784E3@goldmark.org> <20081204025357.GD19575@torus.slightlystrange.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 3, 2008 at 7:53 PM, Daniel Bye <danielby@slightlystrange.org>wrote:
> On Wed, Dec 03, 2008 at 07:43:26PM -0600, Jeffrey Goldberg wrote:
> > It's not a big issue, but I'm wondering if there is a DNSBl that lists
> > IPs that are engaging in brute force ssh attacks. And if there is
> > such a list, is there a way to integrate that information into a
> > firewall or sshd.
> >
> > As I've said this really isn't a big issue for me, as the brute force
> > attempts at sshd are nothing but an annoyance as I review logs.
> >
> > The attacks that I'm seeing appear to be coordinated and distributed.
> > That is, there will be one attempt on username "fred" from one IP
> > immediately followed by an attempt on "freddy" from another IP
> > followed by an attempt on "fredrick" from a third source and so on.
>
> I don't know of any DNSbl type service, but I am using DenyHosts with
> very great success. Its synchronisation feature allows participating
> instances of the script to share IP addresses of misbehaving hosts,
> so as soon as an address hits the database, it's only a matter of an
> hour or so before your instance can start blocking it.
>
> The basic setup uses TCP wrappers to block offending hosts, but I am
> using the datafile it maintains as a file-based table in pf, which I
> reload periodically from a cronjob.
>
> Dan
>
> --
> Daniel Bye
> _
> ASCII ribbon campaign ( )
> - against HTML, vCards and X
> - proprietary attachments in e-mail / \
>
Depending on the role of the machine, I've started to firewall off remote
ssh connects to my machines except only the hosts I use. A dyndns hostname
+ pf querying DNS and the static IPs that I have at the office. All others
don't need access, and if push comes to shove, I can update dyndns IP with
anything I'm behind, allow DNS propogation, (hour?) and then connect. works
quite well.
pf example:
block in on fxp0 all
pass in on fxp0 inet proto tcp from { <workIP>, "sub.dyndnsorg.tld" } to
port 22 keep state flags S/SA
When you implement this, the firewall sees no existing state (I think) and
will kill your connection. If you didn't typo the firewall rule, you can
connect right back.
--TJ
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ade45ae90812032317r63a6fd8fvba27a20d6d664cac>