securing SSH, FBSD systems
Francisco Reyes
lists at natserv.com
Sun May 22 17:31:40 PDT 2005
On Sun, 22 May 2005, Chris wrote:
> 5. (and my favorite) If running IPFW, use something like this if you
> don't need ssh open to the whole of the internet. narrow it down to a
> range of IP's you need.
6. Don't use passwords at all, but use keys. Not always possible though,
but possibly one of the better methods.
I personally use a combo
1- Use an AllowUsers clause
2- Every time I see script kiddies I black hole their IPs.
I black hole them not only because of ssh, but because, just as they tried
to attack ssh the same IPs may try other attacks. I try and stay up to
date in patches, but it can not hurt to block known
compromised/hacker machines. The IPs can be listed either in the firewall
or using
route add -host <hacker ip> 127.0.0.1 -blackhole
I was told that this method of blackholing was more efficient when using a
long list of IPs becaues IPFW looks at a linear list while the route list
was some sort of tree which is more efficient to search.
Over time.. my list of blackholed IPs is 300+ and growing. Every week I
add anywhere from 2 to 10 new IPs. :-(
Besides ssh I also look for machines trying to attack the web server.. ie
a machine looking for files in c:\winnt or any other window directory is a
sure sign of a compromised wmachine ith a virus/worm trying to infect more
machines.
More information about the freebsd-questions
mailing list