Re: Automatic blocking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 16 Aug 2006 04:25:38 -0600, Ashley M. Kirchner wrote:

> 
>     I looked around on the web and found a few different programs to do 
> this, so I thought I'd ask here for advice: what are people using to 
> automatically block incoming attacks via ssh and ftp?  I'm referring to 
> those script kiddies who simply hit your system over and over and over 
> again in a very short period of time, probing both the ssh as well as 
> the ftp daemons trying to log in.
> 
>     And related to the question, what's the best practice here, adding 
> them to /etc/hosts.deny or dropping the traffic with iptables?


The answer to your question is portsentry. It runs in the background,
monitoring a list of ports for incoming connections. If an attacker
hits a port so many times in a short amount of time, portsentry
bans the offending machine, by introducing the appropriate rule
in iptables. Of course, the list of ports, and the threshold for
the number of hits are configurable. 

That said, cool as it may sound, portsentry has a major drawback
which made me and many others prefer a non-dynamic approach to
security. Portsentry can be used to produce a denial of service
attack. Suppose you connect regularly from your work.com machine
to your home.net machine, and malicious.com knows that. Then 
malicious.com can send packets to home.net pretending to originate
from work.com. Then for all it knows, portsentry running on your
home.com will cut off acces to work.com. Sounds complicated, but
it's trivial to do that, with things like nc or nmap. 

There is also a good chance that you will lock yourself out
remotely, by accident, after a few failed login attempts from
remote.com to your home.net. I did it, and had to drive home,
curse at the world, etc. Removed portsentry and used a sound
security policy instead.

If you are the only user to connect remotely via sshd, then
the easiest way to foil sshd brute force attacks is to run 
sshd on a non-default port (e.g. the birthday of your pet).
Specify that in /etc/ssh/sshd_config.



-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux