[SGVLUG] security tools
John Lowry
johnlowry at gmail.com
Tue Dec 4 11:27:25 PST 2007
Stan Schwarz wrote:
>> lazy to build my own log parser. But one thing I liked in the FAQ of
>> psad is this:
>>
>> http://www.cipherdyne.org/psad/docs/faq.html#auto_block
>>
>> Looks like it has the ability to automatically block an IP address based
>> on a a certain threshold of traffic.
>
> I know that this isn't a danger for most people here, but it's
> still kind of funny.
>
> The USGS has something like this set up at the perimeter of
> the network in Menlo Park. After the Alum Rock earthquake on
> October 30, traffic on the web site went up by 200x. Guess
> what happened?
>
> Fortunately, the web sites are served by Akamai, so there were
> a bunch of different hosts coming in to get content for the
> Akamai caching servers. So no one host was requesting a huge
> amount of stuff. But part of the site needs to access a database
> that runs on a machine here at Caltech. The automatic network
> monitor saw lots of traffic between the web servers and the
> database server. So it decided that the database server was
> attacking us, and it blocked it.
>
I use fwknop on my SSH bastion host. A network scan looking for anything
on that machine will see that everything is filtered. When I want to
connect I use the fwknop client to open up SSH to only my IP for 10
minutes and allow pre-existing conditions to stay open so when the
firewall drops down after 10 minutes, my connection stays open. So even
if there is a new exploit out for OpenSSH I am not stressed about
attacks from external attackers.
More information about the SGVLUG
mailing list