[Cialug] RE: Port blocking - and unwanted intruders.

Dwight Hubbard cialug@cialug.org
Mon, 6 Dec 2004 11:03:47 -0600 (CST)


First I would either install a firewall rule blocking the netblock for
that chinese univeristy or at least put in a reject route for that network
block (unless your server normally serves people from China)

If at all possible I would set up the tcpwrappers to deny ssh access by
default and put the address ranges you connect from in the hosts.allow
file.  That way you exclude nearly all the miscreants from having the
opportunity to guess at your accounts.

The best solution I've found for this kind of thing is to set up
portsentry to install blocking firewall rules on multiple attempts to
connect to unused ports from an IP address.  This stops most users doing
network probes from single machines.

I also set up tcpwrappers to run a script that installs a firewall
blocking rule for attempts to access running services from IP addresses
other than those authorized.  That way people from unauthorized addresses
who try to access services like SSH will not only be unable to get into
SSH but they will not longer be able to see your box at all from their IP
address.  Of course this can be a PITA if you happen to travel and want to
connect to your server using the hotels high speed internet access...

Finally, I would make it a point to run something like chkrootkit on your
box regularly.  You never know when someone will invent some new and
creative way to hack your box and give it to all the script kiddies in the
world.