IP Banning (Using IPFW)

Daniel A. ldrada at gmail.com
Sun Feb 5 15:47:44 PST 2006 

I know for a fact, that if a hacker wants to root a box, the first and
least thing he does is to
nmap -p1-65535 -Avv host
And yeah, it does detect services on unusual ports. And regardless of
what you say, assigning nondefault ports is security through
obscurity.

On 2/5/06, fbsd_user <fbsd_user at a1poweruser.com> wrote:
> You missed to whole meaning.
> Attackers only scan for the published service port numbers,
> that is what is meant by "portscan the box".
> Those high order port numbers are dynamically
> used during normal session conversation.
> So any response from those port numbers if an
> attacker scanned that high would be meaningless.
> Please check your facts before commenting.
>
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Daniel A.
> Sent: Sunday, February 05, 2006 4:58 PM
> To: fbsd_user at a1poweruser.com
> Cc: questions at freebsd.org; Michael A. Alestock
> Subject: Re: IP Banning (Using IPFW)
>
>
> On 2/5/06, fbsd_user <fbsd_user at a1poweruser.com> wrote:
> > I find this kind of approach is treating the symptom and not the
> > cause.
> > The basic problem is the services have well published port numbers
> > and attackers beat on those known port numbers. A much simpler
> > approach is to change the standard port numbers to some high order
> > port number. See /etc/services  SSH logon command allows for a
> port
> > number and the same for telnet. Your remote users will be the only
> > people knowing your selected port numbers for those services. This
> > way a attackers port scan will show the well published port
> numbers
> > as not open so they will pass on attacking those ports on your ip
> > address. This way your bandwidth usage will be reduced as
> attackers
> > find your ip address as having nothing of interest.
> >
> > This same kind of thing can also be done for port 80 by using the
> > web forwarding function of Zoneedit pointing to different port for
> > your web server. Only people coming to your site through dns will
> be
> > forwarded to the correct port.
> >
> > The clear key here is attackers roll through a large range of ip
> > address port scanning for open ports. By using nonstandard port
> > numbers for your services you stop the attacker even finding you
> in
> > the first place.
> >
> > good luck what ever you choose to do.
> You just argued against yourself. If an attacker is genuinely
> interested in rooting someones box, that attacker will most likely
> portscan the box - And thereby discovering that you have assigned
> alternative port numbers to your services.
> Security through obscurity is a bad place to start.
> >
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Michael
> A.
> > Alestock
> > Sent: Sunday, February 05, 2006 10:42 AM
> > To: questions at freebsd.org
> > Subject: IP Banning (Using IPFW)
> > Importance: High
> >
> >
> > Hello,
> >
> > I was wondering if there's some sort of port available that can
> > actively
> > ban IPs that try and bruteforce a service such as SSH or Telnet,
> by
> > scanning the /var/log/auth.log log for Regex such as "Illegal
> User"
> > or
> > "LOGIN FAILURES", and then using IPFW to essentially deny (ban)
> that
> > IP
> > for a certain period of time or possibly forever.
> >
> > I've seen a very useful one that works for linux (fail2ban), and
> was
> > wondering if one exists for FreeBSD's IPFW?
> >
> > I've looked around in /usr/ports/security and /usr/ports/net but
> > can't
> > seem to find anything that closely resembles that.
> >
> > Your help would be greatly appreciated.... Thanks in advance!
> >
> > >> Michael A., USA... Loyal FreeBSD user since 2000.
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe at freebsd.org"
> >
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
> >
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
>

More information about the freebsd-questions mailing list