[SGVLUG] ports - what about tcp wrappers or firewall settings
Claude Felizardo
cafelizardo at gmail.com
Fri Jan 16 13:09:39 PST 2009
On Fri, Jan 16, 2009 at 12:33 PM, Robert Leyva <mrflash818 at geophile.net> wrote:
> Greets,
>
> I am about to prove how humble my knowledge is:
> What about using something simple like tcp wrappers or firewall
> configuration, so that only allowed incoming traffic to your ssh port
> (say, a few domains from work and such) ?
>
> Not as fancy or elegent as port knocking, but maybe easier to implement? a
> quick google search revealed most ssh implementations support it....
>
>>
>> There are quite a number of "bots" that run 24/7 trying to brute-force
>> crack SSH server accounts, and alot of the time, they too run on these
>> hijacked machines, either through some IRC botnet, or some other
>> automated (XSS-injected) script.
>>
>> When configuring an SSH Server, the 1st thing should always be disabling
>> 'root' login access, and run sshd on a non-standard port. Most of the
>> "bots" that run autonomously (usually) only attack port 22, therefor are
>> easily defeated.
Sure. Your system is probably already configured to use TCP
wrappers. Your /etc/hosts.deny probably already has a line that says
something like this:
ALL:ALL EXCEPT 127.0.0.1:DENY
Then just add the following to your /etc/hosts.allow file to allow
specific access:
sshd: host.domain : ALLOW
sshd: host2.domain2 : ALLOW
I also turn on reporting but be aware that this could generate lots of
email so I use non standard ports and block standard ports at the
router.
ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s "Port
Denial on %N for %d from %c" root) & : DENY
Try a web search for "sgvlug tcp wrappers" for the thread.
Also, I gave an intro to port knocking (and wake on ring) to SGVLUG a
few years ago. A google search shows it's still available at our
site. I can't find it navigating our site but if you do a google
search on "sgvlug port knocking claude" you can find it or here a
link:
http://www.sgvlug.org/index.php?option=com_content&task=blogsection&id=14&Itemid=49
claude
More information about the SGVLUG
mailing list