From owner-freebsd-questions@FreeBSD.ORG  Mon Jan 11 15:59:55 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B2BA21065676
	for <freebsd-questions@freebsd.org>;
	Mon, 11 Jan 2010 15:59:55 +0000 (UTC)
	(envelope-from mexas@bristol.ac.uk)
Received: from dirg.bris.ac.uk (dirg.bris.ac.uk [137.222.10.102])
	by mx1.freebsd.org (Postfix) with ESMTP id 6FA8D8FC1C
	for <freebsd-questions@freebsd.org>;
	Mon, 11 Jan 2010 15:59:55 +0000 (UTC)
Received: from seis.bris.ac.uk ([137.222.10.93])
	by dirg.bris.ac.uk with esmtp (Exim 4.69)
	(envelope-from <mexas@bristol.ac.uk>)
	id 1NUMgJ-0006kx-CH; Mon, 11 Jan 2010 15:59:54 +0000
Received: from mech-cluster241.men.bris.ac.uk ([137.222.187.241])
	by seis.bris.ac.uk with esmtp (Exim 4.67)
	(envelope-from <mexas@bristol.ac.uk>)
	id 1NUMgI-0000aB-9J; Mon, 11 Jan 2010 15:59:50 +0000
Received: from mech-cluster241.men.bris.ac.uk (localhost [127.0.0.1])
	by mech-cluster241.men.bris.ac.uk (8.14.3/8.14.3) with ESMTP id
	o0BFxoQZ061873; Mon, 11 Jan 2010 15:59:50 GMT
	(envelope-from mexas@bristol.ac.uk)
Received: (from mexas@localhost)
	by mech-cluster241.men.bris.ac.uk (8.14.3/8.14.3/Submit) id
	o0BFxnHn061872; Mon, 11 Jan 2010 15:59:49 GMT
	(envelope-from mexas@bristol.ac.uk)
X-Authentication-Warning: mech-cluster241.men.bris.ac.uk: mexas set sender to
	mexas@bristol.ac.uk using -f
Date: Mon, 11 Jan 2010 15:59:49 +0000
From: Anton Shterenlikht <mexas@bristol.ac.uk>
To: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Message-ID: <20100111155949.GA61863@mech-cluster241.men.bris.ac.uk>
References: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk>
	<4B4B42D0.9070101@infracaninophile.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4B4B42D0.9070101@infracaninophile.co.uk>
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Spam-Score: -1.5
X-Spam-Level: -
Cc: Anton Shterenlikht <mexas@bristol.ac.uk>, freebsd-questions@freebsd.org
Subject: Re: denying spam hosts ssh access - good idea?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jan 2010 15:59:55 -0000

On Mon, Jan 11, 2010 at 03:25:04PM +0000, Matthew Seaman wrote:
> Anton Shterenlikht wrote:
> > I'm thinking of denying ssh access to host from which
> > I get brute force ssh attacks.
> > 
> > HOwever, I see in /etc/hosts.allow:
> > 
> > # Wrapping sshd(8) is not normally a good idea, but if you
> > # need to do it, here's how
> > #sshd : .evil.cracker.example.com : deny
> > 
> > Why is it not a good idea?
> 
> Probably because ssh is likely to be the only method of login access
> you have to a remote server, and hosts.allow could conceivably be spoofed
> into blocking your legitimate access?   In any case, hosts.allow is a poor relation to using a real firewall -- it has no access to the lower level bits
> of the networking code, so has to allow a full tcp connection setup before it
> can block anything.  Some daemons allow quite a lot of interaction with the
> remote site when using hosts.allow functionality -- eg. sendmail will
> apparently go through all of the stages of accepting an incoming e-mail from
> a denied host, right up to the 'MAIL FROM...' section of the SMTP transaction
> where it will respond with a 500 permanent failure error code.  [admittedly 
> this does have the benefit that the other side will then immediately give up 
> trying to send the message if it's playing by the RFC rules. (Most spam-bots 
> don't, of course.)  Otherwise, you'ld get the remote side retrying the message 
> several times an hour over the next 5 days before it timed out and gave up.
> 
> > Also, apparently in older ssh there was DenyHosts option,
> > but no longer in the current version.
> > Is there a replacement for DenyHOsts?
> > Or is there a good reason for such option not to be used?
> 
> I believe you can do something like this:
> 
> match address 192.168.23.0/24,172.16.0.0/16
> 	ForceCommand /usr/sbin/nologin
> 
> but this is not foolproof, as it is run via the users' login shell
> and a sufficiently cunning person can arrange for all sorts of interesting
> things to happen from their shell initialization files...

Matthew, this makes sense

many thanks
anton

-- 
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 331 5944
Fax: +44 (0)117 929 4423