From owner-freebsd-questions@FreeBSD.ORG Thu Dec 4 07:17:19 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F124106564A for ; Thu, 4 Dec 2008 07:17:19 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.176]) by mx1.freebsd.org (Postfix) with ESMTP id 03CFF8FC19 for ; Thu, 4 Dec 2008 07:17:18 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: by ik-out-1112.google.com with SMTP id c21so3522973ika.3 for ; Wed, 03 Dec 2008 23:17:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type:references; bh=B4Cc04wnzJe336fFVjE0NM8yN1sF5Vm6UWiKtHoT7dc=; b=clUZH8zVf2bOclmr8HkOhXSF9VKag3cU29BsSiCQnioCwCLbDwjPEtJbJq8KrOWTBD AfTTYHL7HygvAwKHon8ta5s6QND3TEY88yHXsknJiYxe5SJJqwIRZO2U30tkfZIQvaJ9 2oQ76qSaWaEeKczFLDgD2yktbaHR6zSXcNO90= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=gTUaHEYAwg7Mz072Re6NDRZYvIY7QbJ1lxDCBRGzGeDIppxLYiwRb4w0YbPNZz9Iru Why9z+ywjv08rZkfBp/xHdosSgJkoLdQW8O0gwPUHtFzuG9EXktHBAcLkXD7069iELM3 h0qKnlXGINRNLVA3HUhpCu0J6UX9YFQL9s1rQ= Received: by 10.210.40.10 with SMTP id n10mr16267240ebn.102.1228375037636; Wed, 03 Dec 2008 23:17:17 -0800 (PST) Received: by 10.210.17.12 with HTTP; Wed, 3 Dec 2008 23:17:17 -0800 (PST) Message-ID: Date: Thu, 4 Dec 2008 00:17:17 -0700 From: "Tim Judd" To: "Daniel Bye" , "FreeBSD Questions" In-Reply-To: <20081204025357.GD19575@torus.slightlystrange.org> MIME-Version: 1.0 References: <20081204025357.GD19575@torus.slightlystrange.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: Firewalls using a DNSbl (and distributed ssh attacks) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2008 07:17:19 -0000 On Wed, Dec 3, 2008 at 7:53 PM, Daniel Bye wrote: > On Wed, Dec 03, 2008 at 07:43:26PM -0600, Jeffrey Goldberg wrote: > > It's not a big issue, but I'm wondering if there is a DNSBl that lists > > IPs that are engaging in brute force ssh attacks. And if there is > > such a list, is there a way to integrate that information into a > > firewall or sshd. > > > > As I've said this really isn't a big issue for me, as the brute force > > attempts at sshd are nothing but an annoyance as I review logs. > > > > The attacks that I'm seeing appear to be coordinated and distributed. > > That is, there will be one attempt on username "fred" from one IP > > immediately followed by an attempt on "freddy" from another IP > > followed by an attempt on "fredrick" from a third source and so on. > > I don't know of any DNSbl type service, but I am using DenyHosts with > very great success. Its synchronisation feature allows participating > instances of the script to share IP addresses of misbehaving hosts, > so as soon as an address hits the database, it's only a matter of an > hour or so before your instance can start blocking it. > > The basic setup uses TCP wrappers to block offending hosts, but I am > using the datafile it maintains as a file-based table in pf, which I > reload periodically from a cronjob. > > Dan > > -- > Daniel Bye > _ > ASCII ribbon campaign ( ) > - against HTML, vCards and X > - proprietary attachments in e-mail / \ > Depending on the role of the machine, I've started to firewall off remote ssh connects to my machines except only the hosts I use. A dyndns hostname + pf querying DNS and the static IPs that I have at the office. All others don't need access, and if push comes to shove, I can update dyndns IP with anything I'm behind, allow DNS propogation, (hour?) and then connect. works quite well. pf example: block in on fxp0 all pass in on fxp0 inet proto tcp from { , "sub.dyndnsorg.tld" } to port 22 keep state flags S/SA When you implement this, the firewall sees no existing state (I think) and will kill your connection. If you didn't typo the firewall rule, you can connect right back. --TJ