From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 22:22:21 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6759A1065677 for ; Thu, 21 Aug 2008 22:22:21 +0000 (UTC) (envelope-from mi+mill@aldan.algebra.com) Received: from mail8.sea5.speakeasy.net (mail8.sea5.speakeasy.net [69.17.117.10]) by mx1.freebsd.org (Postfix) with ESMTP id 3E7558FC15 for ; Thu, 21 Aug 2008 22:22:21 +0000 (UTC) (envelope-from mi+mill@aldan.algebra.com) Received: (qmail 24564 invoked from network); 21 Aug 2008 22:22:20 -0000 Received: from aldan.algebra.com (HELO [127.0.0.1]) (mi@[216.254.65.224]) (envelope-sender ) by mail8.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 21 Aug 2008 22:22:20 -0000 Message-ID: <48ADEA96.70203@aldan.algebra.com> Date: Thu, 21 Aug 2008 18:22:14 -0400 From: Mikhail Teterin User-Agent: Thunderbird 2.0.0.16 (X11/20080707) MIME-Version: 1.0 To: Ross Wheeler References: <48ADA81E.7090106@aldan.algebra.com> <20080821200309.GA19634@eos.sc1.parodius.com> <48ADCFD5.8020902@aldan.algebra.com> <20080822074020.G32956@ali-syd-1.albury.net.au> In-Reply-To: <20080822074020.G32956@ali-syd-1.albury.net.au> Content-Type: text/plain; charset=KOI8-U; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Thu, 21 Aug 2008 22:58:32 +0000 Cc: freebsd-security@freebsd.org, Jeremy Chadwick , freebsd-stable@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 22:22:21 -0000 Ross Wheeler ΞΑΠΙΣΑΧ(ΜΑ): > I overcame these conflicting requirements with a 2-step process. They > "authorised" user first browsed to a website which asked their > username and password. When entered correctly, it opened a hole in the > firewall to allow that IP to their network. A timer ran every 15 > minutes to close the hole (but was over-ridden by the web page which > kept refreshing every 10 mins). The last part may not be necessary for > you, but this may be a possible workaround for your traveling access. > Leave a default of deny any except from trusted, fixed hosts, and add > transient access as required. This approach (or port-knocking of some sort) is good, but I'm not that worried about the sshd itself -- and the /detected/ attacks against it. It is the /undetected/ attacks against other services (such as apache), that worry me, and locking-out a rogue IP-address /completely/ is what I'd like to do. So your method would not work for me -- reaching the web-page (to allow myself a way back in) will be just as impossible as reaching the ssh-port... Thanks. Yours, -mi