[Cialug] RE: Port blocking - and unwanted intruders.
Korver, Aaron
cialug@cialug.org
Mon, 6 Dec 2004 11:04:17 -0600
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C4DBB5.9EDA80E0
Content-Type: text/plain;
charset="iso-8859-1"
You make it sound so easy...
> -----Original Message-----
> From: Dwight Hubbard [mailto:dwight@dwightandamy.com]
> Sent: Monday, December 06, 2004 11:04 AM
> To: cialug@cialug.org
> Cc: alietzow@myfamily.com
> Subject: Re: [Cialug] RE: Port blocking - and unwanted intruders.
>
>
> First I would either install a firewall rule blocking the netblock for
> that chinese univeristy or at least put in a reject route for
> that network
> block (unless your server normally serves people from China)
>
> If at all possible I would set up the tcpwrappers to deny ssh
> access by
> default and put the address ranges you connect from in the hosts.allow
> file. That way you exclude nearly all the miscreants from having the
> opportunity to guess at your accounts.
>
> The best solution I've found for this kind of thing is to set up
> portsentry to install blocking firewall rules on multiple attempts to
> connect to unused ports from an IP address. This stops most
> users doing
> network probes from single machines.
>
> I also set up tcpwrappers to run a script that installs a firewall
> blocking rule for attempts to access running services from IP
> addresses
> other than those authorized. That way people from
> unauthorized addresses
> who try to access services like SSH will not only be unable
> to get into
> SSH but they will not longer be able to see your box at all
> from their IP
> address. Of course this can be a PITA if you happen to
> travel and want to
> connect to your server using the hotels high speed internet access...
>
> Finally, I would make it a point to run something like
> chkrootkit on your
> box regularly. You never know when someone will invent some new and
> creative way to hack your box and give it to all the script
> kiddies in the
> world.
>
>
> _______________________________________________
> Cialug mailing list
> Cialug@cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
------_=_NextPart_001_01C4DBB5.9EDA80E0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [Cialug] RE: Port blocking - and unwanted intruders.</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>You make it sound so easy...</FONT>
</P>
<P><FONT SIZE=3D2>> -----Original Message-----</FONT>
<BR><FONT SIZE=3D2>> From: Dwight Hubbard [<A =
HREF=3D"mailto:dwight@dwightandamy.com">mailto:dwight@dwightandamy.com</=
A>]</FONT>
<BR><FONT SIZE=3D2>> Sent: Monday, December 06, 2004 11:04 AM</FONT>
<BR><FONT SIZE=3D2>> To: cialug@cialug.org</FONT>
<BR><FONT SIZE=3D2>> Cc: alietzow@myfamily.com</FONT>
<BR><FONT SIZE=3D2>> Subject: Re: [Cialug] RE: Port blocking - and =
unwanted intruders.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> First I would either install a firewall rule =
blocking the netblock for</FONT>
<BR><FONT SIZE=3D2>> that chinese univeristy or at least put in a =
reject route for </FONT>
<BR><FONT SIZE=3D2>> that network</FONT>
<BR><FONT SIZE=3D2>> block (unless your server normally serves =
people from China)</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> If at all possible I would set up the =
tcpwrappers to deny ssh </FONT>
<BR><FONT SIZE=3D2>> access by</FONT>
<BR><FONT SIZE=3D2>> default and put the address ranges you connect =
from in the hosts.allow</FONT>
<BR><FONT SIZE=3D2>> file. That way you exclude nearly all the =
miscreants from having the</FONT>
<BR><FONT SIZE=3D2>> opportunity to guess at your accounts.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> The best solution I've found for this kind of =
thing is to set up</FONT>
<BR><FONT SIZE=3D2>> portsentry to install blocking firewall rules =
on multiple attempts to</FONT>
<BR><FONT SIZE=3D2>> connect to unused ports from an IP =
address. This stops most </FONT>
<BR><FONT SIZE=3D2>> users doing</FONT>
<BR><FONT SIZE=3D2>> network probes from single machines.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> I also set up tcpwrappers to run a script that =
installs a firewall</FONT>
<BR><FONT SIZE=3D2>> blocking rule for attempts to access running =
services from IP </FONT>
<BR><FONT SIZE=3D2>> addresses</FONT>
<BR><FONT SIZE=3D2>> other than those authorized. That way =
people from </FONT>
<BR><FONT SIZE=3D2>> unauthorized addresses</FONT>
<BR><FONT SIZE=3D2>> who try to access services like SSH will not =
only be unable </FONT>
<BR><FONT SIZE=3D2>> to get into</FONT>
<BR><FONT SIZE=3D2>> SSH but they will not longer be able to see =
your box at all </FONT>
<BR><FONT SIZE=3D2>> from their IP</FONT>
<BR><FONT SIZE=3D2>> address. Of course this can be a PITA if =
you happen to </FONT>
<BR><FONT SIZE=3D2>> travel and want to</FONT>
<BR><FONT SIZE=3D2>> connect to your server using the hotels high =
speed internet access...</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Finally, I would make it a point to run =
something like </FONT>
<BR><FONT SIZE=3D2>> chkrootkit on your</FONT>
<BR><FONT SIZE=3D2>> box regularly. You never know when =
someone will invent some new and</FONT>
<BR><FONT SIZE=3D2>> creative way to hack your box and give it to =
all the script </FONT>
<BR><FONT SIZE=3D2>> kiddies in the</FONT>
<BR><FONT SIZE=3D2>> world.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> =
_______________________________________________</FONT>
<BR><FONT SIZE=3D2>> Cialug mailing list</FONT>
<BR><FONT SIZE=3D2>> Cialug@cialug.org</FONT>
<BR><FONT SIZE=3D2>> <A =
HREF=3D"http://cialug.org/mailman/listinfo/cialug" =
TARGET=3D"_blank">http://cialug.org/mailman/listinfo/cialug</A></FONT>
<BR><FONT SIZE=3D2>> </FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C4DBB5.9EDA80E0--