From owner-freebsd-questions@FreeBSD.ORG Mon Jan 11 14:26:14 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3CD14106566B for ; Mon, 11 Jan 2010 14:26:14 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by mx1.freebsd.org (Postfix) with ESMTP id 12F3E8FC14 for ; Mon, 11 Jan 2010 14:26:13 +0000 (UTC) Received: by pwi15 with SMTP id 15so1538085pwi.3 for ; Mon, 11 Jan 2010 06:26:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=H9YBdzGeOBHruAg3KX12CWp9JsQR8J4aXiLSoNL9cE8=; b=A4k7Y3K6GsyUqdKi3Vb6QPBerSPq3S/b5w1d0rUwrMrU/l5CV0LpRicK0G5/jBUt1v Op5FzqjHx0a4dNZXfz+ePafJ28c5RxFqwSDHiBhh9KtmUPBTczKj0IQ3vOYfH3IuO6Lb fti9I+EaesNagKmRDO+H9zaCG5DG9dN8YoDDY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Et0EHdk7oWc0vyyL6JERpCSLy4xx1iX1AbBXnPDUEnUOKzgeT9wwfHPvGNjpF4J721 ++ILpNxOgbtSy2IpvTorNPiYWScFVnIK93h/kH0WXMfskc1Xk/IYzz9les8YDMuax8av qKcEBeQtPASMmBfb4sK/ZzJ84kmsP+1H3zuHI= MIME-Version: 1.0 Received: by 10.114.6.8 with SMTP id 8mr1559067waf.73.1263219485004; Mon, 11 Jan 2010 06:18:05 -0800 (PST) In-Reply-To: <201001111408.43361.david@vizion2000.net> References: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk> <201001111408.43361.david@vizion2000.net> Date: Mon, 11 Jan 2010 07:18:04 -0700 Message-ID: From: Tim Judd To: David Southwell Content-Type: text/plain; charset=ISO-8859-1 Cc: Anton Shterenlikht , freebsd-questions@freebsd.org Subject: Re: denying spam hosts ssh access - good idea? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jan 2010 14:26:14 -0000 On 1/11/10, David Southwell wrote: >> I'm thinking of denying ssh access to host from which >> I get brute force ssh attacks. >> >> HOwever, I see in /etc/hosts.allow: >> >> # Wrapping sshd(8) is not normally a good idea, but if you >> # need to do it, here's how >> #sshd : .evil.cracker.example.com : deny >> >> Why is it not a good idea? >> >> Also, apparently in older ssh there was DenyHosts option, >> but no longer in the current version. >> Is there a replacement for DenyHOsts? >> Or is there a good reason for such option not to be used? >> >> many thanks >> anton >> > I use denyhosts ( /usr/ports/security/denyhosts ) works well for me. I also > use blackhole and sshguard > > david I've been meaning to check this out. My firewall ssh rules are very strict, in fact, if the remote IP is "unknown" meaning, I don't know where the heck it's coming from, it's blocked. It's easier to say it this way: I allow ssh connections from IPs I know, preferably static IPs. Given that there are more than one general blacklists out there that list unwanted behavior, and that we have ports that make use of these lists, I wonder if we can use a list (in this case, for spam) effective for blocking ssh connections. This means: install spamd setup pf (requirement for spamd, it is built by OpenBSD after all) in the pf rules, block *ANYTHING* coming from the blacklisted IPs I don't know how effective it is, but since the spamd blacklist IPs are hosted on what seems to be only one server/server farm, I am also looking for any way I can provide a mirror (even if it's slightly outdated) of this data. --Tim