Re: Attacks on ssh port

From: David D.W. Downey (david.downey_at_gmail.com)
Date: 09/19/04

  • Next message: Willem Jan Withagen: "Re: Attacks on ssh port"
    Date: Sat, 18 Sep 2004 18:04:45 -0400
    To: Willem Jan Withagen <wjw@withagen.nl>
    
    

    > >On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen <wjw@withagen.nl> wrote:
    > It is not about all this. I know these, and I use them if appropriate.
    > (Come to think of it, I was one of the first externals to test Wietse
    > Venema's TCP-wrapper.)
    >
    > Once I have identified the nature and quality of this type of problem,
    > I want to deal with it in such a way that it is no longer a bother. And
    > in this particular case these records are clogging my login error
    > records. And because of that I just might miss out on the one or two
    > that do matter. You might want to call it noise-reduction, and I'm
    > looking for a as large as possible Signal/Noise ratio.
    > So that is why I would like to be able to throw root/ssh login attempts
    > directly in the garbage and kill the host where these are coming from
    > with a records in my firewall.
    >

    OK, was a simple suggestion. (no derogatory tone meant). I will say
    this much. adding each individual host that scans your machine
    instantly to your firewall WILL end up killing your machine due to
    lookups if this is in place during any large scan or direct port
    attacks.

    I do think you're being overly concerned about your log entries since
    this is *exactly* what the system is *supposed* to do, log the entries
    for further use by the admin if needed. There is no signal to noise
    reduction gained, since what you consider noise is what the system is
    *designed* to do. If you want to reduce the number of entries then
    reduce the # of entries it logs (aka when you enable the verbose_limit
    count it won't log any more than that number of attempts from a host.
    So set it to 2 or even 1 (i would suggest 2 so you only get what
    should be considered a bona fide failure) )

    If you want to enable firewalling based on that information then
    you're going to have to write a custom script to cull the information
    from the logfiles or enable some ports NIDs, or 3rd party NIDS to do
    this for you. (Such as maybe portsentry and hostsentry for a basic
    choice option set)

    Hopefully this helps.

    -- 
    David D.W. Downey
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Willem Jan Withagen: "Re: Attacks on ssh port"

    Relevant Pages

    • Re: Host Computer with ICS cannot be accessed
      ... I have the Main (Host) computer with XP SP1 which is the ICS computer on a ... firewall settings, not that I've found so far, but I'll keep looking. ... >>connection, I can check or uncheck the firewall setting to allow others on ... Is there a way I can tell my Host server to allow the Client ...
      (microsoft.public.windowsxp.network_web)
    • Re: Host Computer with ICS cannot be accessed
      ... I have the Main (Host) computer with XP SP1 which is the ICS computer on a ... firewall settings, not that I've found so far, but I'll keep looking. ... >>connection, I can check or uncheck the firewall setting to allow others on ... Is there a way I can tell my Host server to allow the Client ...
      (microsoft.public.windowsxp.network_web)
    • Re: One computer cant see the other.
      ... I'm not sure I'm doing this right Steve, but on the command prompt at my host ... command prompt on my host machine and my client machine when I ping the host. ... network of two computers. ... The most likely problem is that a firewall (Norton, McAfee, ZoneAlarm, ...
      (microsoft.public.windowsxp.network_web)
    • RE: [fw-wiz] Vulnerability Response
      ... >> management effort scales with the number of hosts. ... It scales non-linearly if the problem area is well-defined. ... Now - if you're gonna make a firewall policy for 10,000 desktops ... When someone talks about doing mitigation at the host level, ...
      (Firewall-Wizards)
    • RE: Securing a Local Network
      ... attacker that has broken into one host to hop among the other hosts. ... If you have a central firewall acting as a choke point, ... computers to go out over non-essential ports, ... > interaction with one of our expert instructors. ...
      (Security-Basics)