Quoting June Tate : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > der.hans wrote: > | > | Having a firewall is a good thing :). Make sure you're locking out > | everything that doesn't need to be. Most people probably only need to > | allow incoming TCP traffic on port 22. Drop everything else. > > Well, I do have a few other services running on this box that I'd like > to keep open. In particular, I've kept http, ftp (control only), ssh, > smtp, and imaps open, and I'm aggressively dropping and logging any > other traffic on the outer interface. > > | If you're getting lots of traffic to SSH, which seems to be the case, then > | maybe you can either lock it down to only a few IPs that you might come > | from and/or setup a port knocking daemon. > | > | knockd - Small port-knock daemon > | Homepage: http://www.zeroflux.org/knock/ > > I've actually thought about this. Since the only people using ssh on the > system is me and my brother, I was thinking about locking it down to > internal IPs and his one external address. > > Port knocking would be a good idea, if and only if my one other user (my > brother) was a little more computer knowledgable and ran Linux instead > of Windows. Neat idea, though. > > | A co-worker has been going through this on people who've been DoSsing her. > | She claims to know who it is and have proof of it. The attacker's mom > | apparently works at his ISP, so the ISP hasn't done anything despite > | repeated attempts. > | > | If someone is attacking you from another country our gov't won't care > | unless you're losing lots of money. Lots of money from their perspective, > | not from ours. > > Oh, goodie. > So then it's essentially left up to me to deal with this guy. So should > I be blacklisting any IP that attempts to break in? For the most part my > security _seems_ to be okay -- the guy has been attempting to break in > for over a week now, and he still hasn't gotten in, so his attacks are > really becoming nothing more than a really pathetic DoS. > > Any idea if there's a way to make ssh act like a tarpit? Eg: if you fail > to login from the same IP more than three times, each successive time > after that SSH takes exponentially longer to respond with the password > prompt. > Look in your /etc/hosts.allow file Mine: # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # sshd: xx.xx.xx.xx : ALLOW sshd: xx.xx.xx.xx : ALLOW sshd: xx.xx.xx.xx : ALLOW #sshd: xxx.xxx.xxx.xxx : ALLOW everybody else is denied access via ssh thus: /etc/hosts.deny: sshd: ALL : DENY Hope that helps Richard > > | That is not the complete answer, but it is part of a balance breakfast. > > Well, it's like what I've heard other netadmins say: security is a > process, not a state of being. Thanks for the help -- you've given me a > couple of ideas I'm going to try. > > - -- > June Tate * http://www.theonelab.com * june@theonelab.com > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBt1NuiLw1iDrV/zwRAt0ZAKCERsYHXxQuL0UT5zTAeze88aO8cgCfUWDs > CROj0W1htgnM1Uxtin30siE= > =UrAC > -----END PGP SIGNATURE----- > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > R. Whitney Transcend Development "Producing the next phase of your internet presence" http://xend.net Premium Quality Web Hosting http://hosting.xend.net rw AT xend.net Net Binder http://netbinder.net 310-943-6498 602-288-5340 --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss