-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 der.hans wrote: | | Having a firewall is a good thing :). Make sure you're locking out | everything that doesn't need to be. Most people probably only need to | allow incoming TCP traffic on port 22. Drop everything else. Well, I do have a few other services running on this box that I'd like to keep open. In particular, I've kept http, ftp (control only), ssh, smtp, and imaps open, and I'm aggressively dropping and logging any other traffic on the outer interface. | If you're getting lots of traffic to SSH, which seems to be the case, then | maybe you can either lock it down to only a few IPs that you might come | from and/or setup a port knocking daemon. | | knockd - Small port-knock daemon | Homepage: http://www.zeroflux.org/knock/ I've actually thought about this. Since the only people using ssh on the system is me and my brother, I was thinking about locking it down to internal IPs and his one external address. Port knocking would be a good idea, if and only if my one other user (my brother) was a little more computer knowledgable and ran Linux instead of Windows. Neat idea, though. | A co-worker has been going through this on people who've been DoSsing her. | She claims to know who it is and have proof of it. The attacker's mom | apparently works at his ISP, so the ISP hasn't done anything despite | repeated attempts. | | If someone is attacking you from another country our gov't won't care | unless you're losing lots of money. Lots of money from their perspective, | not from ours. Oh, goodie. So then it's essentially left up to me to deal with this guy. So should I be blacklisting any IP that attempts to break in? For the most part my security _seems_ to be okay -- the guy has been attempting to break in for over a week now, and he still hasn't gotten in, so his attacks are really becoming nothing more than a really pathetic DoS. Any idea if there's a way to make ssh act like a tarpit? Eg: if you fail to login from the same IP more than three times, each successive time after that SSH takes exponentially longer to respond with the password prompt. |>My server is running Debian Linux, for reference. | | Ah, another good move ;-). I thought about running FreeBSD or NetBSD, but decided against it. Debian Linux is like my home -- why move when the one I've got is the one I grew up in? =o) | You are getting security updates, right? Yeah. I have cron-apt running every night in download mode to help with security updates as well. I'm also subscribed to debian-security-announce and unbuntu-security (I run Ubuntu on my desktop machines). | That is not the complete answer, but it is part of a balance breakfast. Well, it's like what I've heard other netadmins say: security is a process, not a state of being. Thanks for the help -- you've given me a couple of ideas I'm going to try. - -- June Tate * http://www.theonelab.com * june@theonelab.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBt1NuiLw1iDrV/zwRAt0ZAKCERsYHXxQuL0UT5zTAeze88aO8cgCfUWDs CROj0W1htgnM1Uxtin30siE= =UrAC -----END PGP SIGNATURE----- --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss