Date: Mon, 11 Jan 2010 15:25:04 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Anton Shterenlikht <mexas@bristol.ac.uk> Cc: freebsd-questions@freebsd.org Subject: Re: denying spam hosts ssh access - good idea? Message-ID: <4B4B42D0.9070101@infracaninophile.co.uk> In-Reply-To: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk> References: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig4EB8A6869B9CFAD1ADF4B205
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Anton Shterenlikht wrote:
> I'm thinking of denying ssh access to host from which
> I get brute force ssh attacks.
>=20
> HOwever, I see in /etc/hosts.allow:
>=20
> # Wrapping sshd(8) is not normally a good idea, but if you
> # need to do it, here's how
> #sshd : .evil.cracker.example.com : deny
>=20
> Why is it not a good idea?
Probably because ssh is likely to be the only method of login access
you have to a remote server, and hosts.allow could conceivably be spoofed=
into blocking your legitimate access? In any case, hosts.allow is a poo=
r relation to using a real firewall -- it has no access to the lower leve=
l bits
of the networking code, so has to allow a full tcp connection setup befor=
e it
can block anything. Some daemons allow quite a lot of interaction with t=
he
remote site when using hosts.allow functionality -- eg. sendmail will
apparently go through all of the stages of accepting an incoming e-mail f=
rom
a denied host, right up to the 'MAIL FROM...' section of the SMTP transac=
tion
where it will respond with a 500 permanent failure error code. [admitted=
ly=20
this does have the benefit that the other side will then immediately give=
up=20
trying to send the message if it's playing by the RFC rules. (Most spam-b=
ots=20
don't, of course.) Otherwise, you'ld get the remote side retrying the me=
ssage=20
several times an hour over the next 5 days before it timed out and gave u=
p.
> Also, apparently in older ssh there was DenyHosts option,
> but no longer in the current version.
> Is there a replacement for DenyHOsts?
> Or is there a good reason for such option not to be used?
I believe you can do something like this:
match address 192.168.23.0/24,172.16.0.0/16
ForceCommand /usr/sbin/nologin
but this is not foolproof, as it is run via the users' login shell
and a sufficiently cunning person can arrange for all sorts of interestin=
g
things to happen from their shell initialization files...
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig4EB8A6869B9CFAD1ADF4B205
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAktLQtYACgkQ8Mjk52CukIwtfwCfTn2hvHQST3hiUmskvrpwAcG9
+R4AnRLqHVUgG8H2j1bAU1Oromv6tKvq
=Qi7V
-----END PGP SIGNATURE-----
--------------enig4EB8A6869B9CFAD1ADF4B205--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B4B42D0.9070101>