From owner-freebsd-questions@FreeBSD.ORG Mon Jan 11 14:53:56 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D35C1065670 for ; Mon, 11 Jan 2010 14:53:56 +0000 (UTC) (envelope-from mexas@bristol.ac.uk) Received: from dirj.bris.ac.uk (dirj.bris.ac.uk [137.222.10.78]) by mx1.freebsd.org (Postfix) with ESMTP id DCF5E8FC17 for ; Mon, 11 Jan 2010 14:53:55 +0000 (UTC) Received: from seis.bris.ac.uk ([137.222.10.93]) by dirj.bris.ac.uk with esmtp (Exim 4.69) (envelope-from ) id 1NULeO-0003sq-Qu; Mon, 11 Jan 2010 14:53:54 +0000 Received: from mech-cluster241.men.bris.ac.uk ([137.222.187.241]) by seis.bris.ac.uk with esmtp (Exim 4.67) (envelope-from ) id 1NULeN-0005hZ-Cx; Mon, 11 Jan 2010 14:53:48 +0000 Received: from mech-cluster241.men.bris.ac.uk (localhost [127.0.0.1]) by mech-cluster241.men.bris.ac.uk (8.14.3/8.14.3) with ESMTP id o0BErl1i061524; Mon, 11 Jan 2010 14:53:47 GMT (envelope-from mexas@bristol.ac.uk) Received: (from mexas@localhost) by mech-cluster241.men.bris.ac.uk (8.14.3/8.14.3/Submit) id o0BErkVm061523; Mon, 11 Jan 2010 14:53:46 GMT (envelope-from mexas@bristol.ac.uk) X-Authentication-Warning: mech-cluster241.men.bris.ac.uk: mexas set sender to mexas@bristol.ac.uk using -f Date: Mon, 11 Jan 2010 14:53:46 +0000 From: Anton Shterenlikht To: Tim Judd Message-ID: <20100111145346.GK61025@mech-cluster241.men.bris.ac.uk> References: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk> <201001111408.43361.david@vizion2000.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) X-Spam-Score: -1.5 X-Spam-Level: - Cc: Anton Shterenlikht , David Southwell , freebsd-questions@freebsd.org Subject: Re: denying spam hosts ssh access - good idea? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jan 2010 14:53:56 -0000 On Mon, Jan 11, 2010 at 07:18:04AM -0700, Tim Judd wrote: > On 1/11/10, David Southwell wrote: > >> I'm thinking of denying ssh access to host from which > >> I get brute force ssh attacks. > >> > >> HOwever, I see in /etc/hosts.allow: > >> > >> # Wrapping sshd(8) is not normally a good idea, but if you > >> # need to do it, here's how > >> #sshd : .evil.cracker.example.com : deny > >> > >> Why is it not a good idea? > >> > >> Also, apparently in older ssh there was DenyHosts option, > >> but no longer in the current version. > >> Is there a replacement for DenyHOsts? > >> Or is there a good reason for such option not to be used? > >> > >> many thanks > >> anton > >> > > I use denyhosts ( /usr/ports/security/denyhosts ) works well for me. I also > > use blackhole and sshguard > > > > david > > > I've been meaning to check this out. My firewall ssh rules are very > strict, in fact, if the remote IP is "unknown" meaning, I don't know > where the heck it's coming from, it's blocked. It's easier to say it > this way: I allow ssh connections from IPs I know, preferably static > IPs. > > Given that there are more than one general blacklists out there that > list unwanted behavior, and that we have ports that make use of these > lists, I wonder if we can use a list (in this case, for spam) > effective for blocking ssh connections. This means: > install spamd > setup pf (requirement for spamd, it is built by OpenBSD after all) > in the pf rules, block *ANYTHING* coming from the blacklisted IPs > > > I don't know how effective it is, but since the spamd blacklist IPs > are hosted on what seems to be only one server/server farm, I am also > looking for any way I can provide a mirror (even if it's slightly > outdated) of this data. I'm very grateful for all advice, but I'm still unsure why denying ssh access to a particular host via /etc/hosts.allow is a bad idea. many thanks anton -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423