Date: Fri, 3 Jun 2005 14:02:01 -0400 (EDT) From: Francisco Reyes <lists@natserv.com> To: fbsd_user <fbsd_user@a1poweruser.com> Cc: FreeBSD Questions List <questions@freebsd.org> Subject: RE: securing SSH, FBSD systems Message-ID: <20050603135330.K13514@zoraida.natserv.net> In-Reply-To: <MIEPLLIBMLEEABPDBIEGGECEHGAA.fbsd_user@a1poweruser.com> References: <MIEPLLIBMLEEABPDBIEGGECEHGAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 3 Jun 2005, fbsd_user wrote: > I am running ipfilter firewall and I ran test to see who gets access > to the packet first (IE: firewall or route command). Normally I have > inbound FTP port 21 denied in my firewall. I changed that rule to > allow and log so I could see all the packets flow through. I had > buddy run FTP to my server over public internet. > > Pass-1. log shows passive ftp access to my server from public > internet. > Pass-2. First I issued route blackhole command on ip address of > friends system. Then had friend run same FTP access request to my > server. This time firewall log still shows inbound packet on port 21 > passing in and out but friends FTP session says connection error. > Pass-3. did route delete for ip address and had test rerun and ftp > worked like expected. > > > Conclusion. The route blackhole command gets control after being > allowed through firewall. Since IPFW and PF access the packet the > same way IPFilter does this hold true for all of them. This short answer is I don't know but it's possible it's the same. > The use of the route blankhole command is a specific solution for > circumstances where the stand public port number can not be changed > to some port number so it's not attacked. I now understand why it's > a perfect workaround for your ssh attack problem. Based on the feedback I got the route command uses a non linear type of database where as IPFW is just a linear list. My list of IPs to blackhole is around 400 and growing. That's why in my case I continue to use route/blackholing. > PS. I have been using the abuse-reporting-scripts to report this > kind of stuff to the ISP who owns the attackers IP address. This has > resulted in many ISP's terminating the attackers account. > You can download the abuse-reporting-scripts from > http://www.unixguide.net/freebsd/fbsd_installguide/index.php Thanks for the link. Didn't know about those, however I often check the IP of the attacker to see where in the world they are coming from and a large number of IPs are coming from china. Not sure how responsive the ISPs there will be.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050603135330.K13514>