Date: Mon, 11 Jan 2010 15:03:54 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Tim Judd <tajudd@gmail.com> Cc: Anton Shterenlikht <mexas@bristol.ac.uk>, David Southwell <david@vizion2000.net>, freebsd-questions@freebsd.org Subject: Re: denying spam hosts ssh access - good idea? Message-ID: <4B4B3DDA.5010909@infracaninophile.co.uk> In-Reply-To: <ade45ae91001110618w76abd4cdrf95470712aabefac@mail.gmail.com> References: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk> <201001111408.43361.david@vizion2000.net> <ade45ae91001110618w76abd4cdrf95470712aabefac@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig9D71B71305BA80A233F828DA
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Tim Judd wrote:
> I've been meaning to check this out. My firewall ssh rules are very
> strict, in fact, if the remote IP is "unknown" meaning, I don't know
> where the heck it's coming from, it's blocked. It's easier to say it
> this way: I allow ssh connections from IPs I know, preferably static
> IPs.
>=20
> Given that there are more than one general blacklists out there that
> list unwanted behavior, and that we have ports that make use of these
> lists, I wonder if we can use a list (in this case, for spam)
> effective for blocking ssh connections. This means:
> install spamd
> setup pf (requirement for spamd, it is built by OpenBSD after all)
> in the pf rules, block *ANYTHING* coming from the blacklisted IPs
>=20
>=20
> I don't know how effective it is, but since the spamd blacklist IPs
> are hosted on what seems to be only one server/server farm, I am also
> looking for any way I can provide a mirror (even if it's slightly
> outdated) of this data.
Sure you can do this -- you don't even need to install spamd(8) to do
it. If all you're going to do is use the uatraps and nixspam lists to
block all traffic to your server, then you can just create a table in
pf, and load the list of addresses from those lists into it. You may
need some very small shell scripts to strip out anything other than IP
numbers from the lists (if you use the original sources for the Nixspam
stuff from heise.de), and then print out the list of addresses into a=20
file, one per line.
You can load that file into a PF table very easily:
table <blacklisted> persist file "/var/db/blacklisted.txt"
and use it to block any traffic:
block log in quick on $ext_if from <blacklisted> to any
Then whenever you update your blacklisted.txt file, just run:
# pfctl -t blacklisted -T replace -f /var/db/blacklisted.txt
As you say, the places where you can download those lists are few and
far between, plus they're not particularly comprehensive. There are
bigger and better spam blocklists out there, but those are generally
served as DNS rbls which aren't feasible for hooking into PF configs.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig9D71B71305BA80A233F828DA
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAktLPeAACgkQ8Mjk52CukIylkwCfV2Br775n37xk4gYgCj4eGFBJ
VBEAn2c4VoQSIJULvr+icBkoAXPJiUF+
=/Ln/
-----END PGP SIGNATURE-----
--------------enig9D71B71305BA80A233F828DA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B4B3DDA.5010909>