denying spam hosts ssh access - good idea?

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Jan 11 15:04:23 UTC 2010 

Tim Judd wrote:

> I've been meaning to check this out.  My firewall ssh rules are very
> strict, in fact, if the remote IP is "unknown" meaning, I don't know
> where the heck it's coming from, it's blocked.  It's easier to say it
> this way:  I allow ssh connections from IPs I know, preferably static
> IPs.
> 
> Given that there are more than one general blacklists out there that
> list unwanted behavior, and that we have ports that make use of these
> lists, I wonder if we can use a list (in this case, for spam)
> effective for blocking ssh connections.  This means:
>   install spamd
>   setup pf (requirement for spamd, it is built by OpenBSD after all)
>   in the pf rules, block *ANYTHING* coming from the blacklisted IPs
> 
> 
> I don't know how effective it is, but since the spamd blacklist IPs
> are hosted on what seems to be only one server/server farm, I am also
> looking for any way I can provide a mirror (even if it's slightly
> outdated) of this data.

Sure you can do this -- you don't even need to install spamd(8) to do
it. If all you're going to do is use the uatraps and nixspam lists to
block all traffic to your server, then you can just create a table in
pf, and load the list of addresses from those lists into it.  You may
need some very small shell scripts to strip out anything other than IP
numbers from the lists (if you use the original sources for the Nixspam
stuff from heise.de), and then print out the list of addresses into a 
file, one per line.

You can load that file into a PF table very easily:

    table <blacklisted> persist file "/var/db/blacklisted.txt"

and use it to block any traffic:

    block log in quick on $ext_if from <blacklisted> to any

Then whenever you update your blacklisted.txt file, just run:

    # pfctl -t blacklisted -T replace -f /var/db/blacklisted.txt

As you say, the places where you can download those lists are few and
far between, plus they're not particularly comprehensive.  There are
bigger and better spam blocklists out there, but those are generally
served as DNS rbls which aren't feasible for hooking into PF configs.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20100111/73097536/signature.pgp

More information about the freebsd-questions mailing list