From owner-freebsd-stable  Wed Dec  5 10:40:21 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from sploo.aagh.net (pc2-hart4-0-cust103.mid.cable.ntl.com [213.107.122.103])
	by hub.freebsd.org (Postfix) with ESMTP id B5D9C37B64F
	for <freebsd-stable@freebsd.org>; Wed,  5 Dec 2001 10:40:02 -0800 (PST)
Received: from freaky by sploo.aagh.net with local (Exim 3.33 #1)
	id 16Bgxc-0005kb-00
	for freebsd-stable@freebsd.org; Wed, 05 Dec 2001 18:40:00 +0000
Date: Wed, 5 Dec 2001 18:40:00 +0000
From: Thomas Hurst <tom.hurst@clara.net>
To: freebsd-stable@freebsd.org
Subject: Re: naive security question
Message-ID: <20011205184000.GA21710@sploo.aagh.net>
Mail-Followup-To: freebsd-stable@freebsd.org
References: <20011205174654.93719.qmail@web21009.mail.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20011205174654.93719.qmail@web21009.mail.yahoo.com>
User-Agent: Mutt/1.3.24i
Organization: Not much.
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

* Matt Sykes (mattmsykes@yahoo.co.uk) wrote:

> So all unwanted packets are dropped except for SYN/22 packets.  This
> leaves me open to SYN flooding and username/password guessing.  After
> some google research, it appears FreeBSD is pretty good at combating
> the flooding problem.  As for username/password guessing, there's not
> much I can do about that other than picking a 'good' password and
> checking the logs.  Oh and there could be an exploit in OpenSSH.

If you want to remove the password guessing bit, disable it and use
RSA/DSA keys instead.  Also the general consensus would seem to be to
stick to SSH2 if you're really that worried.

If you're only going to be connecting from certain hosts or IP ranges,
block everything else from ssh too.  Maybe even run it on a non standard
port in case another hole appears and kiddies go around scanning for it.

If you know you won't need it at certain times, maybe you could even
cron sshd to be shut down?

You might also concider the net.inet.tcp.blackhole=2 sysctl which simply
drops packets that aren't pointed at an open port.  That'll annoy anyone
who gets overly interested in your machine.

Also if you're worried about flooding, see what icmp types you can
block.

And, of course, man 7 security :)

-- 
Thomas 'Freaky' Hurst  -  freaky@aagh.net  -  http://www.aagh.net/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message