[Cialug] RE: Port blocking - and unwanted intruders.

Korver, Aaron cialug@cialug.org
Mon, 6 Dec 2004 11:04:17 -0600


This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C4DBB5.9EDA80E0
Content-Type: text/plain;
	charset="iso-8859-1"

You make it sound so easy...

> -----Original Message-----
> From: Dwight Hubbard [mailto:dwight@dwightandamy.com]
> Sent: Monday, December 06, 2004 11:04 AM
> To: cialug@cialug.org
> Cc: alietzow@myfamily.com
> Subject: Re: [Cialug] RE: Port blocking - and unwanted intruders.
> 
> 
> First I would either install a firewall rule blocking the netblock for
> that chinese univeristy or at least put in a reject route for 
> that network
> block (unless your server normally serves people from China)
> 
> If at all possible I would set up the tcpwrappers to deny ssh 
> access by
> default and put the address ranges you connect from in the hosts.allow
> file.  That way you exclude nearly all the miscreants from having the
> opportunity to guess at your accounts.
> 
> The best solution I've found for this kind of thing is to set up
> portsentry to install blocking firewall rules on multiple attempts to
> connect to unused ports from an IP address.  This stops most 
> users doing
> network probes from single machines.
> 
> I also set up tcpwrappers to run a script that installs a firewall
> blocking rule for attempts to access running services from IP 
> addresses
> other than those authorized.  That way people from 
> unauthorized addresses
> who try to access services like SSH will not only be unable 
> to get into
> SSH but they will not longer be able to see your box at all 
> from their IP
> address.  Of course this can be a PITA if you happen to 
> travel and want to
> connect to your server using the hotels high speed internet access...
> 
> Finally, I would make it a point to run something like 
> chkrootkit on your
> box regularly.  You never know when someone will invent some new and
> creative way to hack your box and give it to all the script 
> kiddies in the
> world.
> 
> 
> _______________________________________________
> Cialug mailing list
> Cialug@cialug.org
> http://cialug.org/mailman/listinfo/cialug
> 

------_=_NextPart_001_01C4DBB5.9EDA80E0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [Cialug] RE: Port blocking - and unwanted intruders.</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>You make it sound so easy...</FONT>
</P>

<P><FONT SIZE=3D2>&gt; -----Original Message-----</FONT>
<BR><FONT SIZE=3D2>&gt; From: Dwight Hubbard [<A =
HREF=3D"mailto:dwight@dwightandamy.com">mailto:dwight@dwightandamy.com</=
A>]</FONT>
<BR><FONT SIZE=3D2>&gt; Sent: Monday, December 06, 2004 11:04 AM</FONT>
<BR><FONT SIZE=3D2>&gt; To: cialug@cialug.org</FONT>
<BR><FONT SIZE=3D2>&gt; Cc: alietzow@myfamily.com</FONT>
<BR><FONT SIZE=3D2>&gt; Subject: Re: [Cialug] RE: Port blocking - and =
unwanted intruders.</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; First I would either install a firewall rule =
blocking the netblock for</FONT>
<BR><FONT SIZE=3D2>&gt; that chinese univeristy or at least put in a =
reject route for </FONT>
<BR><FONT SIZE=3D2>&gt; that network</FONT>
<BR><FONT SIZE=3D2>&gt; block (unless your server normally serves =
people from China)</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; If at all possible I would set up the =
tcpwrappers to deny ssh </FONT>
<BR><FONT SIZE=3D2>&gt; access by</FONT>
<BR><FONT SIZE=3D2>&gt; default and put the address ranges you connect =
from in the hosts.allow</FONT>
<BR><FONT SIZE=3D2>&gt; file.&nbsp; That way you exclude nearly all the =
miscreants from having the</FONT>
<BR><FONT SIZE=3D2>&gt; opportunity to guess at your accounts.</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; The best solution I've found for this kind of =
thing is to set up</FONT>
<BR><FONT SIZE=3D2>&gt; portsentry to install blocking firewall rules =
on multiple attempts to</FONT>
<BR><FONT SIZE=3D2>&gt; connect to unused ports from an IP =
address.&nbsp; This stops most </FONT>
<BR><FONT SIZE=3D2>&gt; users doing</FONT>
<BR><FONT SIZE=3D2>&gt; network probes from single machines.</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; I also set up tcpwrappers to run a script that =
installs a firewall</FONT>
<BR><FONT SIZE=3D2>&gt; blocking rule for attempts to access running =
services from IP </FONT>
<BR><FONT SIZE=3D2>&gt; addresses</FONT>
<BR><FONT SIZE=3D2>&gt; other than those authorized.&nbsp; That way =
people from </FONT>
<BR><FONT SIZE=3D2>&gt; unauthorized addresses</FONT>
<BR><FONT SIZE=3D2>&gt; who try to access services like SSH will not =
only be unable </FONT>
<BR><FONT SIZE=3D2>&gt; to get into</FONT>
<BR><FONT SIZE=3D2>&gt; SSH but they will not longer be able to see =
your box at all </FONT>
<BR><FONT SIZE=3D2>&gt; from their IP</FONT>
<BR><FONT SIZE=3D2>&gt; address.&nbsp; Of course this can be a PITA if =
you happen to </FONT>
<BR><FONT SIZE=3D2>&gt; travel and want to</FONT>
<BR><FONT SIZE=3D2>&gt; connect to your server using the hotels high =
speed internet access...</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; Finally, I would make it a point to run =
something like </FONT>
<BR><FONT SIZE=3D2>&gt; chkrootkit on your</FONT>
<BR><FONT SIZE=3D2>&gt; box regularly.&nbsp; You never know when =
someone will invent some new and</FONT>
<BR><FONT SIZE=3D2>&gt; creative way to hack your box and give it to =
all the script </FONT>
<BR><FONT SIZE=3D2>&gt; kiddies in the</FONT>
<BR><FONT SIZE=3D2>&gt; world.</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; =
_______________________________________________</FONT>
<BR><FONT SIZE=3D2>&gt; Cialug mailing list</FONT>
<BR><FONT SIZE=3D2>&gt; Cialug@cialug.org</FONT>
<BR><FONT SIZE=3D2>&gt; <A =
HREF=3D"http://cialug.org/mailman/listinfo/cialug" =
TARGET=3D"_blank">http://cialug.org/mailman/listinfo/cialug</A></FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C4DBB5.9EDA80E0--