Date: Mon, 23 May 2005 09:54:12 -0500 (CDT) From: Tony Shadwick <tshadwick@goinet.com> To: Francisco Reyes <lists@natserv.com> Cc: John DeStefano <john.destefano@gmail.com>, Jerry Bell <jbell@stelesys.com>, freebsd-questions@freebsd.org Subject: Re: securing SSH, FBSD systems Message-ID: <20050523095117.D47072@mail.goinet.com> In-Reply-To: <20050522202535.K29197@zoraida.natserv.net> References: <f2160e0d05052205454e6071d5@mail.gmail.com> <1368.24.99.220.144.1116792799.squirrel@24.99.220.144> <4290EEB4.9070502@makeworld.com> <20050522202535.K29197@zoraida.natserv.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Is there an effective way to manage that list? I mean, it seems to me that you'd be adding mass routes to /etc/rc.conf. How are you going about this. Otherwise, it sounds like very good advice. Of course, I tend to manage a hardware firewall in front of any of my machines, so the blackholing should really occur there. I wonder if that technique works under Linux as well? I have the WRT54G running DD-WRT in front of several so-ho boxes. That would be a very efficient method as opposed to ipchains. Not to mention easier to manage reading my firewall rules. ;) On Sun, 22 May 2005, Francisco Reyes wrote: > On Sun, 22 May 2005, Chris wrote: > >> 5. (and my favorite) If running IPFW, use something like this if you >> don't need ssh open to the whole of the internet. narrow it down to a >> range of IP's you need. > > 6. Don't use passwords at all, but use keys. Not always possible though, but > possibly one of the better methods. > > I personally use a combo > 1- Use an AllowUsers clause > 2- Every time I see script kiddies I black hole their IPs. > > I black hole them not only because of ssh, but because, just as they tried to > attack ssh the same IPs may try other attacks. I try and stay up to date in > patches, but it can not hurt to block known compromised/hacker machines. The > IPs can be listed either in the firewall or using > route add -host <hacker ip> 127.0.0.1 -blackhole > > I was told that this method of blackholing was more efficient when using a > long list of IPs becaues IPFW looks at a linear list while the route list was > some sort of tree which is more efficient to search. > > Over time.. my list of blackholed IPs is 300+ and growing. Every week I add > anywhere from 2 to 10 new IPs. :-( > > Besides ssh I also look for machines trying to attack the web server.. ie a > machine looking for files in c:\winnt or any other window directory is a sure > sign of a compromised wmachine ith a virus/worm trying to infect more > machines. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050523095117.D47072>