Re: Temporarily blocking ports
Thank you all for your help! Jos Chrispijn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Temporarily blocking ports
Chris wrote: > > On Nov 29, 2008, at 1:11 PM, Jos Chrispijn wrote: > >> >> From your reply on my message of 29-11-2008 21:47: >>> An even tighter practice is to turn off all password logins and >>> use only keyed connections. This is easier than it might seem >>> though I'll admit I think of ssh as something only a select >>> number of users may use and thus you know them by name >>> and what IPs they are permitted to connect on. >> I have been thinking of that as well, but don't think I should use >> that yet with the knowledge I have on this. >> Do you refer to manual of automatic key connections? >> > It's extremely easy. > > Generate your key and spread it to all systems you want > to connect to. Have other users generate their key and do the > same. After everyone is set, turn off password access in > /etc/ssh/sshd_config, that file contains the docs in comments > on how to do this. You change three parameters. Then sshd > will need to be restarted. Be sure logins by key work first. > > This implies how to set up your keys. This was lifted from > a helpful page on the net and modified but is pretty basic. > Creates the keys in home directory of myuserid on system > www.example.com, then moving the key to a second system > called other.example.com such that myuserid can move > between systems. The userid on the remote does not need > to be the same string as on the local system though it's shown > that way here. > > www$ cd # get to your home directory > www$ ssh-keygen -t rsa > Generating public/private rsa key pair. > Enter file in which to save the key (/home/myuserid/.ssh/id_rsa): > Enter passphrase (empty for no passphrase): > Enter same passphrase again: > Your identification has been saved in /home/myuserid/.ssh/id_rsa. > Your public key has been saved in /home/myuserid/.ssh/id_rsa.pub. > The key fingerprint is: > [EMAIL PROTECTED] > www$ ssh [EMAIL PROTECTED] mkdir -p .ssh > Password: > www$ cat .ssh/id_rsa.pub|ssh [EMAIL PROTECTED] 'cat >> > .ssh/authorized_keys' > Password: > > You are done setting up keys. Sample use of seamless login: > > www$ ssh other.example.com > other$ host > other.example.com > other$ users > myuserid ttyp0Jul 14 05:28 (www.example.com) > other$ exit > www$ > > I only use this on FreeBSD and OS-X. No idea on Putty and others. > Can be used on Putty too. There are some small helper programs you can download along with Putty: - Puttygen: This will convert your key to a format that can be used by putty - Pageant: This works like "ssh-agent". You simply supply the key, and it is automatically used in your Putty connections it works flawlessly ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Temporarily blocking ports
On Sat 2008-11-29 20:39:47 UTC+0100, Jos Chrispijn ([EMAIL PROTECTED]) wrote: > Can someone hint me how I can block ports for let's say 30 minutes if > someone repeatedly tries to do a SSH login? > I use ipfw as firewall... security/sshguard-ipfw works well for me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Temporarily blocking ports
On Nov 29, 2008, at 1:11 PM, Jos Chrispijn wrote: From your reply on my message of 29-11-2008 21:47: An even tighter practice is to turn off all password logins and use only keyed connections. This is easier than it might seem though I'll admit I think of ssh as something only a select number of users may use and thus you know them by name and what IPs they are permitted to connect on. I have been thinking of that as well, but don't think I should use that yet with the knowledge I have on this. Do you refer to manual of automatic key connections? It's extremely easy. Generate your key and spread it to all systems you want to connect to. Have other users generate their key and do the same. After everyone is set, turn off password access in /etc/ssh/sshd_config, that file contains the docs in comments on how to do this. You change three parameters. Then sshd will need to be restarted. Be sure logins by key work first. This implies how to set up your keys. This was lifted from a helpful page on the net and modified but is pretty basic. Creates the keys in home directory of myuserid on system www.example.com, then moving the key to a second system called other.example.com such that myuserid can move between systems. The userid on the remote does not need to be the same string as on the local system though it's shown that way here. www$ cd # get to your home directory www$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/myuserid/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/myuserid/.ssh/id_rsa. Your public key has been saved in /home/myuserid/.ssh/id_rsa.pub. The key fingerprint is: [EMAIL PROTECTED] www$ ssh [EMAIL PROTECTED] mkdir -p .ssh Password: www$ cat .ssh/id_rsa.pub|ssh [EMAIL PROTECTED] 'cat >> .ssh/ authorized_keys' Password: You are done setting up keys. Sample use of seamless login: www$ ssh other.example.com other$ host other.example.com other$ users myuserid ttyp0Jul 14 05:28 (www.example.com) other$ exit www$ I only use this on FreeBSD and OS-X. No idea on Putty and others. thanks for sharing, Jos Chrispijn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Temporarily blocking ports
From your reply on my message of 29-11-2008 21:47: You could also take a look at sshguard. Good suggestion, I will do that. thanks for sharing, Jos Chrispijn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Temporarily blocking ports
From your reply on my message of 29-11-2008 21:47: An even tighter practice is to turn off all password logins and use only keyed connections. This is easier than it might seem though I'll admit I think of ssh as something only a select number of users may use and thus you know them by name and what IPs they are permitted to connect on. I have been thinking of that as well, but don't think I should use that yet with the knowledge I have on this. Do you refer to manual of automatic key connections? thanks for sharing, Jos Chrispijn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Temporarily blocking ports
Jos Chrispijn <[EMAIL PROTECTED]> wrote: > Can someone hint me how I can block ports for let's say 30 minutes if > someone repeatedly tries to do a SSH login? > I use ipfw as firewall... security/sshguard-ipfw -- Sahil Tandon <[EMAIL PROTECTED]> ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Temporarily blocking ports
On Sat, Nov 29, 2008 at 2:39 PM, Jos Chrispijn <[EMAIL PROTECTED]> wrote: > Can someone hint me how I can block ports for let's say 30 minutes if > someone repeatedly tries to do a SSH login? > I use ipfw as firewall... > You could also take a look at sshguard. http://cvsweb.freebsd.org/ports/security/sshguard-ipfw -- Glen Barber "If you have any trouble sounding condescending, find a Unix user to show you how it's done." --Scott Adams ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Temporarily blocking ports
On Nov 29, 2008, at 11:39 AM, Jos Chrispijn wrote: Can someone hint me how I can block ports for let's say 30 minutes if someone repeatedly tries to do a SSH login? I use ipfw as firewall... If you mean the statement as entered while you are watching, something like: ipfw add 0922 deny tcp from nn.nn.nn.nn to me dst-port 22 where 922 is some line prior to your normal allow statements for ssh nn.nn.nn.nn is the address you'd prefer to block. If you mean an automated way, put this in a perl program, sleep for 30 minutes and then do a ipfw delete 0922. Your program will need to run as root of course. Doing things like this tends to be risky if you aren't careful. If you don't have anti-spoofing and perhaps even some careful whitelisting rules, depending on how you identify an attack, schemes such as this can be turned against you once you automate it. I think a better way is to allow only ip addresses you want to connect on ssh to start a session with setup keep-state and then include a specific deny for all ssh connections following that statement. If you have connections coming in from certain nets but dynamically assigned addresses, only allow those ranges and block all others. That will dramatically reduce the audience of casual brute force attackers. An even tighter practice is to turn off all password logins and use only keyed connections. This is easier than it might seem though I'll admit I think of ssh as something only a select number of users may use and thus you know them by name and what IPs they are permitted to connect on. regards, Jos Chrispijn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Temporarily blocking ports
Jos Chrispijn wrote: >Can someone hint me how I can >block ports for let's say 30 minutes if >someone repeatedly tries to do a SSH >login? >I use ipfw as firewall... I think I saw ssh-ipfw section in jail.conf file of fail2ban application (http://www.fail2ban.org). I believe fail2ban might be the one you looking for. But I'm sorry I'm using fail2ban in Linux (which is using netfilter's iptables firewall, not IPFW). I'm not sure it will work on FreeBSD and I don't have FreeBSD server lying around outside my VMware environment here, so I wish you good luck trying. -- Regards, Anthony M. Rasat Manager - Technical, Network and Support Division PT. Jawa Pos National Network Graha Pena Jawa Pos Group Building, 5th floor Jln. Raya Kebayoran Lama 12, Jakarta Barat 12210 Indonesia.- Phone 02132185562 Phone 081574217035 Fax 02153651465 Web http://www.jpnn.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Temporarily blocking ports
Can someone hint me how I can block ports for let's say 30 minutes if someone repeatedly tries to do a SSH login? I use ipfw as firewall... regards, Jos Chrispijn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
