Date: Thu, 9 Sep 2004 08:00:31 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: <m.hauber@mchsi.com>, <freebsd-questions@freebsd.org> Subject: RE: Tar pitting automated attacks Message-ID: <LOBBIFDAGNMAMLGJJCKNGEEHEPAA.tedm@toybox.placo.com> In-Reply-To: <200409081235.20615.m.hauber@mchsi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mike Hauber > Sent: Wednesday, September 08, 2004 9:35 AM > To: freebsd-questions@freebsd.org > Subject: Re: Tar pitting automated attacks > > > I realize this is probably a dumb question (I quietly drop > everything incoming unless it's keep-state, and I only > allow ssh internally)... > > If you're needing to ssh to your machine from a limited > range of IPs, then why not tell your PF to drop incoming > unless it's within that range? Yes, that is how it is usually done. But the OP's goal was to tie up the attacker's resources so the attacker cannot go and bang on other people. Blocking access to the ssh port to most of the Internet actually helps the attacker, because the attacker will attempt to open a connection, and 5 minutes later when the connection open has still not completed, the attacker will mark off that IP and continue onto attacking the next person. So it comes down to what do you want - if you want to clean your logs and not be attacked, then use port filtering, otherwise if you want to waste attackers resources, make sure your ssh port is available, and use good passwords so an attack won't succeed. tarpitting is equivalent to port filtering from the attackers point of view - they know how to detect a tar pit and will move on and not get stuck in it. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNGEEHEPAA.tedm>