Date: Thu, 9 Sep 2004 11:44:00 -0400 From: Mike Hauber <m.hauber@mchsi.com> To: freebsd-questions@freebsd.org Subject: Re: Tar pitting automated attacks Message-ID: <200409091144.00787.m.hauber@mchsi.com> In-Reply-To: <LOBBIFDAGNMAMLGJJCKNGEEHEPAA.tedm@toybox.placo.com> References: <LOBBIFDAGNMAMLGJJCKNGEEHEPAA.tedm@toybox.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 09 September 2004 11:00 am, Ted Mittelstaedt proclaimed: > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf > > Of Mike Hauber Sent: Wednesday, September 08, 2004 9:35 > > AM > > To: freebsd-questions@freebsd.org > > Subject: Re: Tar pitting automated attacks > > > > > > I realize this is probably a dumb question (I quietly > > drop everything incoming unless it's keep-state, and I > > only allow ssh internally)... > > > > If you're needing to ssh to your machine from a limited > > range of IPs, then why not tell your PF to drop > > incoming unless it's within that range? > > Yes, that is how it is usually done. But the OP's goal > was to tie up the attacker's resources so the attacker > cannot go and bang on other people. > > Blocking access to the ssh port to most of the Internet > actually helps the attacker, because the attacker will > attempt to open a connection, and 5 minutes later when > the connection open has still not completed, the attacker > will mark off that IP and continue onto attacking the > next person. > > So it comes down to what do you want - if you want to > clean your logs and not be attacked, then use port > filtering, otherwise if you want to waste attackers > resources, make sure your ssh port is available, and use > good passwords so an attack won't succeed. > > tarpitting is equivalent to port filtering from the > attackers point of view - they know how to detect a tar > pit and will move on and not get stuck in it. > > Ted > That makes sense... I haven't gotten so much into security that I would want to "invite" a potential cracker. I would just assume they go and bug someone else (who knows, maybe it will result in more BSD admins. :) ) How difficult would it be to have a "dummy" system setup on the LAN where incoming SSH could be transparently routed to. In fact (and even the idea gives me the creeps), how difficult would it be to change "root" to something else, and then create a dummy root account. I mean, if one is attempting to get a cracker to waste his time, then why not wet his whistle and let him think he's actually getting somewhere? I don't know anything about this kind of thing (I'm just not devious enough, I guess). How should I go about googling this to learn more? Is there a term for it? Thx, Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409091144.00787.m.hauber>