securing SSH, FBSD systems
Tony Shadwick
tshadwick at goinet.com
Mon May 23 07:54:16 PDT 2005
Is there an effective way to manage that list? I mean, it seems to me
that you'd be adding mass routes to /etc/rc.conf. How are you going about
this.
Otherwise, it sounds like very good advice. Of course, I tend to manage a
hardware firewall in front of any of my machines, so the blackholing
should really occur there. I wonder if that technique works under Linux
as well? I have the WRT54G running DD-WRT in front of several so-ho
boxes. That would be a very efficient method as opposed to ipchains. Not
to mention easier to manage reading my firewall rules. ;)
On Sun, 22 May 2005, Francisco Reyes wrote:
> On Sun, 22 May 2005, Chris wrote:
>
>> 5. (and my favorite) If running IPFW, use something like this if you
>> don't need ssh open to the whole of the internet. narrow it down to a
>> range of IP's you need.
>
> 6. Don't use passwords at all, but use keys. Not always possible though, but
> possibly one of the better methods.
>
> I personally use a combo
> 1- Use an AllowUsers clause
> 2- Every time I see script kiddies I black hole their IPs.
>
> I black hole them not only because of ssh, but because, just as they tried to
> attack ssh the same IPs may try other attacks. I try and stay up to date in
> patches, but it can not hurt to block known compromised/hacker machines. The
> IPs can be listed either in the firewall or using
> route add -host <hacker ip> 127.0.0.1 -blackhole
>
> I was told that this method of blackholing was more efficient when using a
> long list of IPs becaues IPFW looks at a linear list while the route list was
> some sort of tree which is more efficient to search.
>
> Over time.. my list of blackholed IPs is 300+ and growing. Every week I add
> anywhere from 2 to 10 new IPs. :-(
>
> Besides ssh I also look for machines trying to attack the web server.. ie a
> machine looking for files in c:\winnt or any other window directory is a sure
> sign of a compromised wmachine ith a virus/worm trying to infect more
> machines.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list