... Sigh ......

[Bill Campbell]

On Thu, Jul 24, 2008, Ken Moffat wrote:
>Bill Campbell wrote:
>> On Thu, Jul 24, 2008, Ken Moffat wrote:
>>   
>>> Ben Duncan wrote:
>>>     
>>>> Me to person setting up my Web Server:
>>>>
>>>> Dont' ya think we outta move the sshd port to a unknown port and
>>>> use psk ?
>>>>
>>>> person setting up web server:
>>>>
>>>> naw, I never have had any problems .......
>>>>
>>>> Me at 3 PM yesterday:
>>>>
>>>> Ok, I'll turn sshd on with passwords .
>>>>
>>>> Me at 12 noon today:
>>>>
>>>> &$%^@#%$!(@&#$^!)#$%^)!@(#%$&%^ ...
>>>> after seeing that someone launched a dictionary attack JUST
>>>> 6 hours I set up sshd - that ran for 8 hours against my server ...
>>>>
>>>> ME to web person: sshd has been moved to port #### and WE will be using
>>>> psk starting tommorow ......
>>>>
>>>> Web Person: Your $HITTING me, I never had any problems before ....
>>>>
>>>>       
>>> Have you tried "denyhosts"? Catches dictionary attacks and adds the
>>> attacker to /etc/hosts.deny.
>>>     
>>
>> That's one approach, but it may fill log files with rejection messages.
>>
>> The fail2ban program can automatically add iptables entries to deny hosts
>> that appear to be making attacks, automatically removing the block after a
>> specified period of time.  It also can track multiple log files and/or
>> patterns so works against a wide variety of attacks (I see many attacks
>> against POP and IMAP as well).
>>
>> My solution to web persons is to require they use OpenVPN to connect to our
>> servers, and only permit ssh access with authorized_keys, no passwords.
>>
...
>denyhosts does add and remove offending ip's, but not sure about
>multiple log files, and pop/imap is a great feature. Willl check it out.

One issue I have with anything that fiddles files in /etc is that
it triggers my intrusion detection software meaning I either have
to examine the /etc/hosts.deny every day or ignore the changes
which could lead to problems.

We do maintain a DNSRBL of IP addresses and networks that have
made cracking attempts, attempted to spam mailing lists, etc. and
use a hacked version of libwrap that allows RBL lookups.  Using
the djbdns rbldns program makes it very easy to add/delete IP
addresses or CIDR blocks to the DNSRBL, and a line in the
/etc/hosts.allow file simply references it.

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

Marijuana will be legal some day, because the many law students
who now smoke pot will someday become congressmen and legalize
it in order to protect themselves.  -- Lenny Bruce