From owner-freebsd-questions@FreeBSD.ORG Thu Sep 9 15:44:26 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E430916A4CE for ; Thu, 9 Sep 2004 15:44:26 +0000 (GMT) Received: from sccmmhc91.asp.att.net (sccmmhc91.asp.att.net [204.127.203.211]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BAA143D4C for ; Thu, 9 Sep 2004 15:44:26 +0000 (GMT) (envelope-from m.hauber@mchsi.com) Received: from [10.51.10.3] (12-219-204-133.client.mchsi.com[12.219.204.133]) by sccmmhc91.asp.att.net (sccmmhc91) with ESMTP id <20040909154425m9100fsppbe>; Thu, 9 Sep 2004 15:44:25 +0000 From: Mike Hauber To: freebsd-questions@freebsd.org Date: Thu, 9 Sep 2004 11:44:00 -0400 User-Agent: KMail/1.7 References: In-Reply-To: X-Copyright: 2004, Michael C. Hauber. All rights reserved. X-Notice: Duplication, modification, and/or redistribution are prohibited without proper consent from the author. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200409091144.00787.m.hauber@mchsi.com> Subject: Re: Tar pitting automated attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: m.hauber@mchsi.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2004 15:44:27 -0000 On Thursday 09 September 2004 11:00 am, Ted Mittelstaedt proclaimed: > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf > > Of Mike Hauber Sent: Wednesday, September 08, 2004 9:35 > > AM > > To: freebsd-questions@freebsd.org > > Subject: Re: Tar pitting automated attacks > > > > > > I realize this is probably a dumb question (I quietly > > drop everything incoming unless it's keep-state, and I > > only allow ssh internally)... > > > > If you're needing to ssh to your machine from a limited > > range of IPs, then why not tell your PF to drop > > incoming unless it's within that range? > > Yes, that is how it is usually done. But the OP's goal > was to tie up the attacker's resources so the attacker > cannot go and bang on other people. > > Blocking access to the ssh port to most of the Internet > actually helps the attacker, because the attacker will > attempt to open a connection, and 5 minutes later when > the connection open has still not completed, the attacker > will mark off that IP and continue onto attacking the > next person. > > So it comes down to what do you want - if you want to > clean your logs and not be attacked, then use port > filtering, otherwise if you want to waste attackers > resources, make sure your ssh port is available, and use > good passwords so an attack won't succeed. > > tarpitting is equivalent to port filtering from the > attackers point of view - they know how to detect a tar > pit and will move on and not get stuck in it. > > Ted > That makes sense... I haven't gotten so much into security that I would want to "invite" a potential cracker. I would just assume they go and bug someone else (who knows, maybe it will result in more BSD admins. :) ) How difficult would it be to have a "dummy" system setup on the LAN where incoming SSH could be transparently routed to. In fact (and even the idea gives me the creeps), how difficult would it be to change "root" to something else, and then create a dummy root account. I mean, if one is attempting to get a cracker to waste his time, then why not wet his whistle and let him think he's actually getting somewhere? I don't know anything about this kind of thing (I'm just not devious enough, I guess). How should I go about googling this to learn more? Is there a term for it? Thx, Mike