Is there an effective way to manage that list? I mean, it seems to me
that you'd be adding mass routes to /etc/rc.conf. How are you going about
this.
Otherwise, it sounds like very good advice. Of course, I tend to manage a
hardware firewall in front of any of my machines, so the blackholing
should really occur there. I wonder if that technique works under Linux
as well? I have the WRT54G running DD-WRT in front of several so-ho
boxes. That would be a very efficient method as opposed to ipchains. Not
to mention easier to manage reading my firewall rules. ;)
On Sun, 22 May 2005, Francisco Reyes wrote:
On Sun, 22 May 2005, Chris wrote:
5. (and my favorite) If running IPFW, use something like this if you
don't need ssh open to the whole of the internet. narrow it down to a
range of IP's you need.
6. Don't use passwords at all, but use keys. Not always possible though, but
possibly one of the better methods.
I personally use a combo
1- Use an AllowUsers clause
2- Every time I see script kiddies I black hole their IPs.
I black hole them not only because of ssh, but because, just as they tried to
attack ssh the same IPs may try other attacks. I try and stay up to date in
patches, but it can not hurt to block known compromised/hacker machines. The
IPs can be listed either in the firewall or using
route add -host <hacker ip> 127.0.0.1 -blackhole
I was told that this method of blackholing was more efficient when using a
long list of IPs becaues IPFW looks at a linear list while the route list was
some sort of tree which is more efficient to search.
Over time.. my list of blackholed IPs is 300+ and growing. Every week I add
anywhere from 2 to 10 new IPs. :-(
Besides ssh I also look for machines trying to attack the web server.. ie a
machine looking for files in c:\winnt or any other window directory is a sure
sign of a compromised wmachine ith a virus/worm trying to infect more
machines.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"