From mboxrd@z Thu Jan 1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
by nuthatch.gentoo.org with esmtp (Exim 4.50)
id 1EMoDt-0006ok-2P
for garchives@archives.gentoo.org; Tue, 04 Oct 2005 14:56:53 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j94Ek22l005845;
Tue, 4 Oct 2005 14:46:02 GMT
Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.198])
by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j94Ef8jQ017393
for <gentoo-security@lists.gentoo.org>; Tue, 4 Oct 2005 14:41:08 GMT
Received: by qproxy.gmail.com with SMTP id c12so187894qbc
for <gentoo-security@lists.gentoo.org>; Tue, 04 Oct 2005 07:49:24 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=beta; d=gmail.com;
h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references;
b=Xz1tHP7/9+H2F522Y2nBW3WavIl8cg+6X3a9DEBNlfp7D2Z9N44ZFtslMy912c4rHVzLLwcJpvAw/HnxKNg/HD/p59W4VZtAUk9eupJi3iQxTl60v6idFQJN5Ca7ZxZs2vKJCMPtYP7qqVGgtEd5iSZWVEg2VZugAEHx8stQ4TU=
Received: by 10.64.201.5 with SMTP id y5mr615473qbf;
Tue, 04 Oct 2005 07:49:24 -0700 (PDT)
Received: by 10.64.196.5 with HTTP; Tue, 4 Oct 2005 07:49:24 -0700 (PDT)
Message-ID: <fc38b710510040749m2422cee3pde0f921f942f1e67@mail.gmail.com>
Date: Tue, 4 Oct 2005 16:49:24 +0200
From: Dave Strydom <strydom.dave@gmail.com>
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
In-Reply-To: <4342958A.5040203@randomvoids.com>
Precedence: bulk
List-Post: <mailto:gentoo-security@lists.gentoo.org>
List-Help: <mailto:gentoo-security+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Reply-to: gentoo-security@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_10455_4444637.1128437364623"
References: <43404CB8.3@lunatic.net.nz> <4341BE2A.5080600@lunatic.net.nz>
<200510040815.41603.smurphy@solsys.org>
<fc38b710510040155rcf44495g935f64dbd99c3557@mail.gmail.com>
<4342958A.5040203@randomvoids.com>
X-Archives-Salt: 6222c55b-1962-4c63-8057-6b71fd979174
X-Archives-Hash: 77904a88c2968bcf16550b149fae5878
------=_Part_10455_4444637.1128437364623
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Which brings me back to my original idea, of only allowing your IP's to
connect to SSH on your servers, and just drop everything else, problem
solved.
On 10/4/05, Kyle Lutze <kyle@randomvoids.com> wrote:
>
> Dave Strydom wrote:
>
> You know what would be seriously awesome, is if they have a type of RBL
> listing for this kind of thing, and you could just link your iptables up =
to
> the rbl listings.
>
> (for those of you who don't know how rbl's work)
>
> Example, I see this in my auth.log:
> -------------------------------------------
> Sep 28 03:20:42 cerberus sshd[20136]: Address 209.50.253.203<http://209.5=
0.253.203>maps to
> srv.warofthering.net <http://srv.warofthering.net>, but this does not map
> back to the address - POSSIBLE BREAKIN ATTEM
> PT!
> Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:43 cerberus sshd[20141]: Address 209.50.253.203<http://209.5=
0.253.203>maps to
> srv.warofthering.net <http://srv.warofthering.net>, but this does not map
> back to the address - POSSIBLE BREAKIN ATTEM
> PT!
> Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> -------------------------------------------
>
> I could then submit the IP address to a RBL listing site, and then all
> people who plugin to the rbl listing could update their firewalls with th=
e
> latest listing.
>
> Just an idea, i dont know how hard it would be to do?
>
> Dave
>
> That will never happen. The reason being stated plenty of times over, but
> I'll state them again:
>
> * Many of those addresses are from dynamic IPs
>
> * Some may be using fake IPs that you login from, it would suck to have
> you banned from your own server
>
> * if anybody can submit to an RBL you would have the whole world added to
> that RBL in no time because somebody will get the bright idea to do so.
>
> In short, bad idea.
>
> Kyle
>
------=_Part_10455_4444637.1128437364623
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Which brings me back to my original idea, of only allowing your IP's to
connect to SSH on your servers, and just drop everything else, problem
solved.<br>
<br>
<br><br><div><span class=3D"gmail_quote">On 10/4/05, <b class=3D"gmail_send=
ername">Kyle Lutze</b> <<a href=3D"mailto:kyle@randomvoids.com">kyle@ran=
domvoids.com</a>> wrote:</span><blockquote class=3D"gmail_quote" style=
=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; p=
adding-left: 1ex;">
<div><span class=3D"e" id=3D"q_106bc193172373f5_0">
=20
=20
Dave Strydom wrote:
<blockquote cite=3D"http://midfc38b710510040155rcf44495g935f64dbd99c3557@ma=
il.gmail.com" type=3D"cite">You know what would be seriously awesome, is if=
they have
a type of RBL
listing for this kind of thing, and you could just link your iptables
up to the rbl listings.<br>
<br>
(for those of you who don't know how rbl's work)<br>
<br>
Example, I see this in my auth.log:<br>
-------------------------------------------<br>
Sep 28 03:20:42 cerberus sshd[20136]: Address <a href=3D"http://209.50.253.=
203" target=3D"_blank" onclick=3D"return top.js.OpenExtLink(window,event,th=
is)">209.50.253.203</a> maps to
<a href=3D"http://srv.warofthering.net" target=3D"_blank" onclick=3D"retu=
rn top.js.OpenExtLink(window,event,this)">srv.warofthering.net</a>, but
this does not map back to the address -
POSSIBLE BREAKIN ATTEM<br>
PT!<br>
Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from <a href=3D"ht=
tp://209.50.253.203" target=3D"_blank" onclick=3D"return top.js.OpenExtLink=
(window,event,this)">209.50.253.203</a><br>
Sep 28 03:20:43 cerberus sshd[20141]: Address <a href=3D"http://209.50.253.=
203" target=3D"_blank" onclick=3D"return top.js.OpenExtLink(window,event,th=
is)">209.50.253.203</a> maps to
<a href=3D"http://srv.warofthering.net" target=3D"_blank" onclick=3D"retu=
rn top.js.OpenExtLink(window,event,this)">srv.warofthering.net</a>, but
this does not map back to the address -
POSSIBLE BREAKIN ATTEM<br>
PT!<br>
Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from <a href=3D"ht=
tp://209.50.253.203" target=3D"_blank" onclick=3D"return top.js.OpenExtLink=
(window,event,this)">209.50.253.203</a><br>
Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from <a href=3D"ht=
tp://209.50.253.203" target=3D"_blank" onclick=3D"return top.js.OpenExtLink=
(window,event,this)">209.50.253.203</a><br>
Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from <a href=3D"ht=
tp://209.50.253.203" target=3D"_blank" onclick=3D"return top.js.OpenExtLink=
(window,event,this)">209.50.253.203</a><br>
-------------------------------------------<br>
<br>
I could then submit the IP address to a RBL listing site, and then all
people who plugin to the rbl listing could update their firewalls with
the latest listing.<br>
<br>
Just an idea, i dont know how hard it would be to do?<br>
<br>
Dave<br>
</blockquote></span></div>
That will never happen. The reason being stated plenty of times over,
but I'll state them again: <br>
<br>
* Many of those addresses are from dynamic IPs<br>
<br>
* Some may be using fake IPs that you login from, it would suck to have
you banned from your own server<br>
<br>
* if anybody can submit to an RBL you would have the whole world added
to that RBL in no time because somebody will get the bright idea to do
so.<br>
<br>
In short, bad idea.<br><span class=3D"sg">
<br>
Kyle<br>
</span></blockquote></div><br>
------=_Part_10455_4444637.1128437364623--
--
gentoo-security@gentoo.org mailing list