securing SSH, FBSD systems
Francisco Reyes
lists at natserv.com
Fri Jun 3 18:02:16 GMT 2005
On Fri, 3 Jun 2005, fbsd_user wrote:
> I am running ipfilter firewall and I ran test to see who gets access
> to the packet first (IE: firewall or route command). Normally I have
> inbound FTP port 21 denied in my firewall. I changed that rule to
> allow and log so I could see all the packets flow through. I had
> buddy run FTP to my server over public internet.
>
> Pass-1. log shows passive ftp access to my server from public
> internet.
> Pass-2. First I issued route blackhole command on ip address of
> friends system. Then had friend run same FTP access request to my
> server. This time firewall log still shows inbound packet on port 21
> passing in and out but friends FTP session says connection error.
> Pass-3. did route delete for ip address and had test rerun and ftp
> worked like expected.
>
>
> Conclusion. The route blackhole command gets control after being
> allowed through firewall. Since IPFW and PF access the packet the
> same way IPFilter does this hold true for all of them.
This short answer is I don't know but it's possible it's the same.
> The use of the route blankhole command is a specific solution for
> circumstances where the stand public port number can not be changed
> to some port number so it's not attacked. I now understand why it's
> a perfect workaround for your ssh attack problem.
Based on the feedback I got the route command uses a non linear type of
database where as IPFW is just a linear list.
My list of IPs to blackhole is around 400 and growing. That's why in my
case I continue to use route/blackholing.
> PS. I have been using the abuse-reporting-scripts to report this
> kind of stuff to the ISP who owns the attackers IP address. This has
> resulted in many ISP's terminating the attackers account.
> You can download the abuse-reporting-scripts from
> http://www.unixguide.net/freebsd/fbsd_installguide/index.php
Thanks for the link. Didn't know about those, however I often check the IP
of the attacker to see where in the world they are coming from and a large
number of IPs are coming from china. Not sure how responsive the ISPs
there will be.
More information about the freebsd-questions
mailing list