From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EMoDt-0006ok-2P for garchives@archives.gentoo.org; Tue, 04 Oct 2005 14:56:53 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j94Ek22l005845; Tue, 4 Oct 2005 14:46:02 GMT Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.198]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j94Ef8jQ017393 for ; Tue, 4 Oct 2005 14:41:08 GMT Received: by qproxy.gmail.com with SMTP id c12so187894qbc for ; Tue, 04 Oct 2005 07:49:24 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references; b=Xz1tHP7/9+H2F522Y2nBW3WavIl8cg+6X3a9DEBNlfp7D2Z9N44ZFtslMy912c4rHVzLLwcJpvAw/HnxKNg/HD/p59W4VZtAUk9eupJi3iQxTl60v6idFQJN5Ca7ZxZs2vKJCMPtYP7qqVGgtEd5iSZWVEg2VZugAEHx8stQ4TU= Received: by 10.64.201.5 with SMTP id y5mr615473qbf; Tue, 04 Oct 2005 07:49:24 -0700 (PDT) Received: by 10.64.196.5 with HTTP; Tue, 4 Oct 2005 07:49:24 -0700 (PDT) Message-ID: Date: Tue, 4 Oct 2005 16:49:24 +0200 From: Dave Strydom To: gentoo-security@lists.gentoo.org Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs In-Reply-To: <4342958A.5040203@randomvoids.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_10455_4444637.1128437364623" References: <43404CB8.3@lunatic.net.nz> <4341BE2A.5080600@lunatic.net.nz> <200510040815.41603.smurphy@solsys.org> <4342958A.5040203@randomvoids.com> X-Archives-Salt: 6222c55b-1962-4c63-8057-6b71fd979174 X-Archives-Hash: 77904a88c2968bcf16550b149fae5878 ------=_Part_10455_4444637.1128437364623 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Which brings me back to my original idea, of only allowing your IP's to connect to SSH on your servers, and just drop everything else, problem solved. On 10/4/05, Kyle Lutze wrote: > > Dave Strydom wrote: > > You know what would be seriously awesome, is if they have a type of RBL > listing for this kind of thing, and you could just link your iptables up = to > the rbl listings. > > (for those of you who don't know how rbl's work) > > Example, I see this in my auth.log: > ------------------------------------------- > Sep 28 03:20:42 cerberus sshd[20136]: Address 209.50.253.203maps to > srv.warofthering.net , but this does not map > back to the address - POSSIBLE BREAKIN ATTEM > PT! > Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from > 209.50.253.203 > Sep 28 03:20:43 cerberus sshd[20141]: Address 209.50.253.203maps to > srv.warofthering.net , but this does not map > back to the address - POSSIBLE BREAKIN ATTEM > PT! > Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from > 209.50.253.203 > Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from > 209.50.253.203 > Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from > 209.50.253.203 > ------------------------------------------- > > I could then submit the IP address to a RBL listing site, and then all > people who plugin to the rbl listing could update their firewalls with th= e > latest listing. > > Just an idea, i dont know how hard it would be to do? > > Dave > > That will never happen. The reason being stated plenty of times over, but > I'll state them again: > > * Many of those addresses are from dynamic IPs > > * Some may be using fake IPs that you login from, it would suck to have > you banned from your own server > > * if anybody can submit to an RBL you would have the whole world added to > that RBL in no time because somebody will get the bright idea to do so. > > In short, bad idea. > > Kyle > ------=_Part_10455_4444637.1128437364623 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Which brings me back to my original idea, of only allowing your IP's to connect to SSH on your servers, and just drop everything else, problem solved.



On 10/4/05, Kyle Lutze <kyle@ran= domvoids.com> wrote:
=20 =20 Dave Strydom wrote:
You know what would be seriously awesome, is if= they have a type of RBL listing for this kind of thing, and you could just link your iptables up to the rbl listings.

(for those of you who don't know how rbl's work)

Example, I see this in my auth.log:
-------------------------------------------
Sep 28 03:20:42 cerberus sshd[20136]: Address 209.50.253.203 maps to srv.warofthering.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEM
PT!
Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from 209.50.253.203
Sep 28 03:20:43 cerberus sshd[20141]: Address 209.50.253.203 maps to srv.warofthering.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEM
PT!
Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from 209.50.253.203
Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from 209.50.253.203
Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from 209.50.253.203
-------------------------------------------

I could then submit the IP address to a RBL listing site, and then all people who plugin to the rbl listing could update their firewalls with the latest listing.

Just an idea, i dont know how hard it would be to do?

Dave
That will never happen. The reason being stated plenty of times over, but I'll state them again:

* Many of those addresses are from dynamic IPs

* Some may be using fake IPs that you login from, it would suck to have you banned from your own server

* if anybody can submit to an RBL you would have the whole world added to that RBL in no time because somebody will get the bright idea to do so.

In short, bad idea.

Kyle

------=_Part_10455_4444637.1128437364623-- -- gentoo-security@gentoo.org mailing list