Am 08. Dec, 2004 schwätzte June Tate so:
> Well, I do have a few other services running on this box that I'd like
> to keep open. In particular, I've kept http, ftp (control only), ssh,
> smtp, and imaps open, and I'm aggressively dropping and logging any
> other traffic on the outer interface.
OK. Most people aren't running services from home, or so I have the
impression based on ISP rules. I also run those, except s/imaps/dns/ :).
> I've actually thought about this. Since the only people using ssh on the
> system is me and my brother, I was thinking about locking it down to
> internal IPs and his one external address.
>
> Port knocking would be a good idea, if and only if my one other user (my
> brother) was a little more computer knowledgable and ran Linux instead
> of Windows. Neat idea, though.
Well, if he always comes from the same place, then you could hardcode
allowing him in, and use port knocking for any other external addy. That
way if you find yourself at a cafe with a laptop, a Net connection and a
hankering to work on some code you have on the home box you can get in.
If he comes from multiple IPs, maybe his ISP changes his IP on a regular
basis, you might still be able to do it but it gets hairy if he isn't too
tech aware.
> <sarcasm>Oh, goodie.</sarcasm>
> So then it's essentially left up to me to deal with this guy. So should
> I be blacklisting any IP that attempts to break in? For the most part my
> security _seems_ to be okay -- the guy has been attempting to break in
> for over a week now, and he still hasn't gotten in, so his attacks are
> really becoming nothing more than a really pathetic DoS.
Unfortunately it's true. If someone steals your grandma's cheesecake they
aren't gonna send anyone out even though you might be in grave danger
because those expecting the cheesecake will be upset by its loss. If
someone steals something valuable enough to make an insurance claim cops
might show up for a report, but only because the insurance industry pushes
them to do so in order to help prevent fraud...
</sarcasm>
Unfortunately, that is the way things seem to be. The cops only have so
many resources. Criminals and pranksters have more resources. At some
point a threshold sets in and you have to cross it to get attention. No
different for electronic stuff, except the threshold is much higher.
Your ISP might care and might work with you.
speakeasy?
> Any idea if there's a way to make ssh act like a tarpit? Eg: if you fail
> to login from the same IP more than three times, each successive time
> after that SSH takes exponentially longer to respond with the password
> prompt.
There are. I don't see anything in tcp-wrappers, but look at it because I
might've missed something. 'man hosts.allow' to get started there.
Using firewall rules you can add stuff like that. Might not be too
difficult with iptables. I haven't done it, but I know you can write
reactive rules.
> I thought about running FreeBSD or NetBSD, but decided against it.
> Debian Linux is like my home -- why move when the one I've got is the
> one I grew up in? =o)
:)
> Well, it's like what I've heard other netadmins say: security is a
> process, not a state of being. Thanks for the help -- you've given me a
> couple of ideas I'm going to try.
Yes. It's a process we have to keep working on. The nice thing about Free
Software is that when one person creates a technique the rest of us can
often use it as well. The bad thing is that the bad guys also share info.
Not that I spend near enough time taking care of security...
Glad I was able to inspire some ideas :).
ciao,
der.hans
--
# https://www.LuftHans.com/ http://www.AZOTO.org/
# Keine Ahnung, was ich dir sagen soll,
# keine Ahnung und keinen (.)plan. -- die Toten Hosen
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)