securing SSH, FBSD systems

Tony Shadwick tshadwick at goinet.com
Mon May 23 07:54:16 PDT 2005


Is there an effective way to manage that list?  I mean, it seems to me 
that you'd be adding mass routes to /etc/rc.conf.  How are you going about 
this.

Otherwise, it sounds like very good advice.  Of course, I tend to manage a 
hardware firewall in front of any of my machines, so the blackholing 
should really occur there.  I wonder if that technique works under Linux 
as well?  I have the WRT54G running DD-WRT in front of several so-ho 
boxes.  That would be a very efficient method as opposed to ipchains.  Not 
to mention easier to manage reading my firewall rules. ;)

On Sun, 22 May 2005, Francisco Reyes wrote:

> On Sun, 22 May 2005, Chris wrote:
>
>> 5. (and my favorite) If running IPFW, use something like this if you
>> don't need ssh open to the whole of the internet. narrow it down to a
>> range of IP's you need.
>
> 6. Don't use passwords at all, but use keys. Not always possible though, but 
> possibly one of the better methods.
>
> I personally use a combo
> 1- Use an AllowUsers clause
> 2- Every time I see script kiddies I black hole their IPs.
>
> I black hole them not only because of ssh, but because, just as they tried to 
> attack ssh the same IPs may try other attacks. I try and stay up to date in 
> patches, but it can not hurt to block known compromised/hacker machines. The 
> IPs can be listed either in the firewall or using
> route add -host <hacker ip> 127.0.0.1 -blackhole
>
> I was told that this method of blackholing was more efficient when using a 
> long list of IPs becaues IPFW looks at a linear list while the route list was 
> some sort of tree which is more efficient to search.
>
> Over time.. my list of blackholed IPs is 300+ and growing. Every week I add 
> anywhere from 2 to 10 new IPs. :-(
>
> Besides ssh I also look for machines trying to attack the web server.. ie a 
> machine looking for files in c:\winnt or any other window directory is a sure 
> sign of a compromised wmachine ith a virus/worm trying to infect more 
> machines.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>


More information about the freebsd-questions mailing list