From owner-freebsd-questions@FreeBSD.ORG Mon May 23 14:54:16 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 766EE16A41C for ; Mon, 23 May 2005 14:54:16 +0000 (GMT) (envelope-from tshadwick@goinet.com) Received: from mail.goinet.com (mail.goinet.com [208.207.72.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1415043D1F for ; Mon, 23 May 2005 14:54:15 +0000 (GMT) (envelope-from tshadwick@goinet.com) Received: from mail.goinet.com (localhost.goinet.com [127.0.0.1]) by mail.goinet.com (8.13.1/8.13.1) with ESMTP id j4NEsCWH077909; Mon, 23 May 2005 09:54:13 -0500 (CDT) (envelope-from tshadwick@goinet.com) Received: from localhost (tshadwick@localhost) by mail.goinet.com (8.13.1/8.13.1/Submit) with ESMTP id j4NEsCtp077906; Mon, 23 May 2005 09:54:12 -0500 (CDT) (envelope-from tshadwick@goinet.com) X-Authentication-Warning: mail.goinet.com: tshadwick owned process doing -bs Date: Mon, 23 May 2005 09:54:12 -0500 (CDT) From: Tony Shadwick To: Francisco Reyes In-Reply-To: <20050522202535.K29197@zoraida.natserv.net> Message-ID: <20050523095117.D47072@mail.goinet.com> References: <1368.24.99.220.144.1116792799.squirrel@24.99.220.144> <4290EEB4.9070502@makeworld.com> <20050522202535.K29197@zoraida.natserv.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: ClamAV version 0.85.1, clamav-milter version 0.85 on mail.goinet.com X-Virus-Status: Clean Cc: John DeStefano , Jerry Bell , freebsd-questions@freebsd.org Subject: Re: securing SSH, FBSD systems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2005 14:54:16 -0000 Is there an effective way to manage that list? I mean, it seems to me that you'd be adding mass routes to /etc/rc.conf. How are you going about this. Otherwise, it sounds like very good advice. Of course, I tend to manage a hardware firewall in front of any of my machines, so the blackholing should really occur there. I wonder if that technique works under Linux as well? I have the WRT54G running DD-WRT in front of several so-ho boxes. That would be a very efficient method as opposed to ipchains. Not to mention easier to manage reading my firewall rules. ;) On Sun, 22 May 2005, Francisco Reyes wrote: > On Sun, 22 May 2005, Chris wrote: > >> 5. (and my favorite) If running IPFW, use something like this if you >> don't need ssh open to the whole of the internet. narrow it down to a >> range of IP's you need. > > 6. Don't use passwords at all, but use keys. Not always possible though, but > possibly one of the better methods. > > I personally use a combo > 1- Use an AllowUsers clause > 2- Every time I see script kiddies I black hole their IPs. > > I black hole them not only because of ssh, but because, just as they tried to > attack ssh the same IPs may try other attacks. I try and stay up to date in > patches, but it can not hurt to block known compromised/hacker machines. The > IPs can be listed either in the firewall or using > route add -host 127.0.0.1 -blackhole > > I was told that this method of blackholing was more efficient when using a > long list of IPs becaues IPFW looks at a linear list while the route list was > some sort of tree which is more efficient to search. > > Over time.. my list of blackholed IPs is 300+ and growing. Every week I add > anywhere from 2 to 10 new IPs. :-( > > Besides ssh I also look for machines trying to attack the web server.. ie a > machine looking for files in c:\winnt or any other window directory is a sure > sign of a compromised wmachine ith a virus/worm trying to infect more > machines. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >