From owner-freebsd-questions@FreeBSD.ORG Mon Jan 11 15:25:54 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F24D7106566B for ; Mon, 11 Jan 2010 15:25:54 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 1EA588FC0C for ; Mon, 11 Jan 2010 15:25:53 +0000 (UTC) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.3) with ESMTP id o0BFPBji044970; Mon, 11 Jan 2010 15:25:11 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk o0BFPBji044970 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1263223511; bh=H5hRoWSOAaVg7JB3+XOMYGEP614SABxohvOZdsu2s24=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4B4B42D0.9070101@infracaninophile.co.uk>|Date:=20M on,=2011=20Jan=202010=2015:25:04=20+0000|From:=20Matthew=20Seaman= 20|Organization:=20Infracaninophi le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20091129)|MIME-Vers ion:=201.0|To:=20Anton=20Shterenlikht=20|CC:= 20freebsd-questions@freebsd.org|Subject:=20Re:=20denying=20spam=20 hosts=20ssh=20access=20-=20good=20idea?|References:=20<20100111140 105.GI61025@mech-cluster241.men.bris.ac.uk>|In-Reply-To:=20<201001 11140105.GI61025@mech-cluster241.men.bris.ac.uk>|X-Enigmail-Versio n:=200.95.6|Content-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha 256=3B=0D=0A=20protocol=3D"application/pgp-signature"=3B=0D=0A=20b oundary=3D"------------enig4EB8A6869B9CFAD1ADF4B205"; b=gTsj9wWGuKXU1b2E7jNtBHXM36QClXQgduIsNFx8B0pi4h/YjOzlvE1I/62DxIjhK dNkZbqYGDGda4kUuI+1G63Ox52jl6Fm9CZXHaAOl5w/DRxZwN7iyGBmuE5W24iEgxv E3PYh/XBtUxTmz3TrHmgS54Vq+AFGKJxC4LSwanA= X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host localhost [IPv6:::1] claimed to be happy-idiot-talk.infracaninophile.co.uk Message-ID: <4B4B42D0.9070101@infracaninophile.co.uk> Date: Mon, 11 Jan 2010 15:25:04 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.23 (X11/20091129) MIME-Version: 1.0 To: Anton Shterenlikht References: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk> In-Reply-To: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig4EB8A6869B9CFAD1ADF4B205" X-Virus-Scanned: clamav-milter 0.95.3 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: denying spam hosts ssh access - good idea? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jan 2010 15:25:55 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4EB8A6869B9CFAD1ADF4B205 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Anton Shterenlikht wrote: > I'm thinking of denying ssh access to host from which > I get brute force ssh attacks. >=20 > HOwever, I see in /etc/hosts.allow: >=20 > # Wrapping sshd(8) is not normally a good idea, but if you > # need to do it, here's how > #sshd : .evil.cracker.example.com : deny >=20 > Why is it not a good idea? Probably because ssh is likely to be the only method of login access you have to a remote server, and hosts.allow could conceivably be spoofed= into blocking your legitimate access? In any case, hosts.allow is a poo= r relation to using a real firewall -- it has no access to the lower leve= l bits of the networking code, so has to allow a full tcp connection setup befor= e it can block anything. Some daemons allow quite a lot of interaction with t= he remote site when using hosts.allow functionality -- eg. sendmail will apparently go through all of the stages of accepting an incoming e-mail f= rom a denied host, right up to the 'MAIL FROM...' section of the SMTP transac= tion where it will respond with a 500 permanent failure error code. [admitted= ly=20 this does have the benefit that the other side will then immediately give= up=20 trying to send the message if it's playing by the RFC rules. (Most spam-b= ots=20 don't, of course.) Otherwise, you'ld get the remote side retrying the me= ssage=20 several times an hour over the next 5 days before it timed out and gave u= p. > Also, apparently in older ssh there was DenyHosts option, > but no longer in the current version. > Is there a replacement for DenyHOsts? > Or is there a good reason for such option not to be used? I believe you can do something like this: match address 192.168.23.0/24,172.16.0.0/16 ForceCommand /usr/sbin/nologin but this is not foolproof, as it is run via the users' login shell and a sufficiently cunning person can arrange for all sorts of interestin= g things to happen from their shell initialization files... Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig4EB8A6869B9CFAD1ADF4B205 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAktLQtYACgkQ8Mjk52CukIwtfwCfTn2hvHQST3hiUmskvrpwAcG9 +R4AnRLqHVUgG8H2j1bAU1Oromv6tKvq =Qi7V -----END PGP SIGNATURE----- --------------enig4EB8A6869B9CFAD1ADF4B205--