[SGVLUG] ports - what about tcp wrappers or firewall settings

Claude Felizardo cafelizardo at gmail.com
Fri Jan 16 13:13:39 PST 2009


Sorry, pasted the wrong link

http://www.sgvlug.org/index.php?option=com_content&task=view&id=67&Itemid=27

Limitation of TCP wrappers is that you need to create the exceptions
while you still have access.   port knocking allows dynamic access.
Again, I'd like to see a presentation on advanced port knocking.

claude


On Fri, Jan 16, 2009 at 1:09 PM, Claude Felizardo <cafelizardo at gmail.com> wrote:
> On Fri, Jan 16, 2009 at 12:33 PM, Robert Leyva <mrflash818 at geophile.net> wrote:
>> Greets,
>>
>> I am about to prove how humble my knowledge is:
>> What about using something simple like tcp wrappers or firewall
>> configuration, so that only allowed incoming traffic to your ssh port
>> (say, a few domains from work and such) ?
>>
>> Not as fancy or elegent as port knocking, but maybe easier to implement? a
>> quick google search revealed most ssh implementations support it....
>>
>>>
>>> There are quite a number of "bots" that run 24/7 trying to brute-force
>>> crack SSH server accounts, and alot of the time, they too run on these
>>> hijacked machines, either through some IRC botnet, or some other
>>> automated (XSS-injected) script.
>>>
>>> When configuring an SSH Server, the 1st thing should always be disabling
>>> 'root' login access, and run sshd on a non-standard port. Most of the
>>> "bots" that run autonomously (usually) only attack port 22, therefor are
>>> easily defeated.
>
> Sure.   Your system is probably already configured to use TCP
> wrappers.  Your /etc/hosts.deny probably already has a line that says
> something like this:
>
> ALL:ALL EXCEPT 127.0.0.1:DENY
>
> Then just add the following to your /etc/hosts.allow file to allow
> specific access:
>
> sshd:   host.domain : ALLOW
> sshd:   host2.domain2 : ALLOW
>
> I also turn on reporting but be aware that this could generate lots of
> email so I use non standard ports and block standard ports at the
> router.
>
> ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s "Port
> Denial on %N for %d from %c" root) & : DENY
>
> Try a web search for "sgvlug tcp wrappers" for the thread.
>
> Also, I gave an intro to port knocking (and wake on ring) to SGVLUG a
> few years ago.  A google search shows it's still available at our
> site.  I can't find it navigating our site but if you do a google
> search on "sgvlug port knocking claude" you can find it or here a
> link:
>
> http://www.sgvlug.org/index.php?option=com_content&task=blogsection&id=14&Itemid=49
>
> claude
>


More information about the SGVLUG mailing list