Date: Fri, 05 Mar 2010 10:30:15 -0600 From: Kevin Kinsey <kdk@daleco.biz> To: mikel king <mikel.king@olivent.com> Cc: John <john@starfire.mn.org>, freebsd-questions@freebsd.org, Programmer In Training <pit@joseph-a-nagy-jr.us> Subject: Re: Thousands of ssh probes Message-ID: <4B913197.9000903@daleco.biz> In-Reply-To: <F4960422-5F59-4FF4-A2E4-1F0A4772B78B@olivent.com> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> <F4960422-5F59-4FF4-A2E4-1F0A4772B78B@olivent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
mikel king wrote: > > > Way back about 10 years ago, I was playing around with IPFW a lot. I > wrote a script to update IPFW from changes made to a MySql db. It was a > just for fun project, that turned out to be rather useful I have some > developers that I managed who like you were road warriors. They logged > in to the https web page w/ their username and password which grabbed > their IP address and stored it in a table on with their login id. > > The script called fud (for firewall update daemon) connected to the db > and ran a query to check for any rule changes. If there were it would > apply them to the rule set and clear the change flag. Using this > combination I was able to allow ssh access only to the necessary ip > addresses. > We use a similar approach but only rely on tcpwrappers. Here's what we do (simplified & obfuscated slightly), just for reference (or, maybe commentary :-D ) On server: [505] Fri 05.Mar.2010 10:21:37 [admin@foo][~] cat /etc/hosts.allow | grep sshd # Wrapping sshd(8) is not normally a good idea, but if you sshd: /var/tmp/skyangel.ip : allow sshd: all : deny On "skyangel": [13] Fri 05.Mar.2010 10:22:56 [admin@skyangel][~] sudo crontab -l |grep dhcp @reboot /usr/local/bin/php -q /root/scripts/dhcp.php * */4 * * * /usr/local/bin/php -q /root/scripts/dhcp.php "dhcp.php" uses lynx to dump a server-side HTTPS page and sends a secret in the URI. Server-side page is able to decrypt this and determine it's really "skyangel", then writes the connecting IP addy to /var/tmp/skyangel.ip. KDK
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B913197.9000903>