denying spam hosts ssh access - good idea?
tajudd at gmail.com
Mon Jan 11 14:26:14 UTC 2010
On 1/11/10, David Southwell <david at vizion2000.net> wrote:
>> I'm thinking of denying ssh access to host from which
>> I get brute force ssh attacks.
>> HOwever, I see in /etc/hosts.allow:
>> # Wrapping sshd(8) is not normally a good idea, but if you
>> # need to do it, here's how
>> #sshd : .evil.cracker.example.com : deny
>> Why is it not a good idea?
>> Also, apparently in older ssh there was DenyHosts option,
>> but no longer in the current version.
>> Is there a replacement for DenyHOsts?
>> Or is there a good reason for such option not to be used?
>> many thanks
> I use denyhosts ( /usr/ports/security/denyhosts ) works well for me. I also
> use blackhole and sshguard
I've been meaning to check this out. My firewall ssh rules are very
strict, in fact, if the remote IP is "unknown" meaning, I don't know
where the heck it's coming from, it's blocked. It's easier to say it
this way: I allow ssh connections from IPs I know, preferably static
Given that there are more than one general blacklists out there that
list unwanted behavior, and that we have ports that make use of these
lists, I wonder if we can use a list (in this case, for spam)
effective for blocking ssh connections. This means:
setup pf (requirement for spamd, it is built by OpenBSD after all)
in the pf rules, block *ANYTHING* coming from the blacklisted IPs
I don't know how effective it is, but since the spamd blacklist IPs
are hosted on what seems to be only one server/server farm, I am also
looking for any way I can provide a mirror (even if it's slightly
outdated) of this data.
More information about the freebsd-questions