Date: Wed, 5 Dec 2001 18:40:00 +0000 From: Thomas Hurst <tom.hurst@clara.net> To: freebsd-stable@freebsd.org Subject: Re: naive security question Message-ID: <20011205184000.GA21710@sploo.aagh.net> In-Reply-To: <20011205174654.93719.qmail@web21009.mail.yahoo.com> References: <20011205174654.93719.qmail@web21009.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* Matt Sykes (mattmsykes@yahoo.co.uk) wrote: > So all unwanted packets are dropped except for SYN/22 packets. This > leaves me open to SYN flooding and username/password guessing. After > some google research, it appears FreeBSD is pretty good at combating > the flooding problem. As for username/password guessing, there's not > much I can do about that other than picking a 'good' password and > checking the logs. Oh and there could be an exploit in OpenSSH. If you want to remove the password guessing bit, disable it and use RSA/DSA keys instead. Also the general consensus would seem to be to stick to SSH2 if you're really that worried. If you're only going to be connecting from certain hosts or IP ranges, block everything else from ssh too. Maybe even run it on a non standard port in case another hole appears and kiddies go around scanning for it. If you know you won't need it at certain times, maybe you could even cron sshd to be shut down? You might also concider the net.inet.tcp.blackhole=2 sysctl which simply drops packets that aren't pointed at an open port. That'll annoy anyone who gets overly interested in your machine. Also if you're worried about flooding, see what icmp types you can block. And, of course, man 7 security :) -- Thomas 'Freaky' Hurst - freaky@aagh.net - http://www.aagh.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011205184000.GA21710>