Domain: aczoom.com
Stories and comments across the archive that link to aczoom.com.
Comments · 10
-
Re:Low Hanging Fruit
I use http://www.aczoom.com/blockhosts.
I do not run anything on a high port, because to me that is security through obscurity.
It won't prevent a dedicated hacker so you might as well not do it? What?
Using a high port is one more thing you can do. To me, using it to filter out 90% of scanners is worth it even though it will still let through the 10% of people scanning high ports. You still need something more effective in place, of course, but there's no harm in adding another defensive layer.Want a car analogy? Leaving your window rolled up is another measure you can take to prevent your car from being stolen. Will it prevent a highly motivated individual? No, they can still break your window. But the other people who are looking for easy targets will probably move on to the next car.
-
Re:Low Hanging Fruit
I use http://www.aczoom.com/blockhosts.
Just remember: never rely on only one line of defense.I do not run anything on a high port, because to me that is security through obscurity. Blockhosts I also only use to keep the noise down.
As it looks now, I might just start white listing IPs and turn that off when I am traveling or look at knockd. Again this is security through obscurity.
-
I use BlockHosts
http://www.aczoom.com/cms/blockhosts/
The advantage is that it does things live. So no log scanning (well, it does the first time, just to see what it can add) and therefore even if several hundred scans are done from the same IP at the same time, you do not need to wait a minute for some cron job to start and read all the adresses again.As it works with hosts.allow (or deny) you can determine IP addresses that will never fail, so you have always access. You can also determine the amount of times users can try as well as how long you want to block the IP address.
-
Re:overly paranoid
Even at 1 connections a second, in an entire year, an attacker could only guess 525,960 combinations. 10 connections a second?(REALLY fast...) 5.2M/year.
To lower that to even less, I use http://www.aczoom.com/cms/blockhosts
Easy to install and I block an IP for 24 hours after 3 tries. So that would become an extremely slow attempt. You can obviously change those rates.
-
Distributions must use blockers as a standard.
Obviously ssh should be off by default. Many people use a different port for ssh, as long as you understand that that is security trough obscurity, that is fine. It is not a real option if your system is a multi user system. Imagine if each webserver on the internet ran on a random port. Not very nice.
So then you must ask yourself if everybody in the whole world is allowed to run ssh to you or just a few.
You can already use your hosts.allow to block many and allow other IP adresses.
Then you can ask yourself if each user is allowed to connect by ssh or not and use AllowGroups or DenyGroups to give access. (or AllowUsers and DenyUsers)I can not put my ssh on a different port, as I am sometimes in places where only that port will work. I have ssh also running on port 80 and 443, as sometimes only those work. Next to that I use blockhosts which blocks IPs after 3 attempts and is very easy to use as described here.
So with all this, I have the following possible restrictions and they can be all used or none or in any combination.
1) Access on a different port.
2) Access only from certain IP adresses or ranges
3) Allow access only for certain users
4) Block the IP after a certain amount of failed attempts
2) -
Re:Solution: Public Key Auth
I use BlockHosts and even though I still get hit, the amount of tries is 4-5 and the IP address will be blocked for 12 hours.
Very seldom I see them hit me a second time.
The advantage is that it is live and although initially looks in the log files it does not depend on them.Entry currently in my hosts.allow, which is after some IP addresses I specifically always allow.
#---- BlockHosts Additions
ALL: 216.146.46.29 : deny
ALL: 65.111.164.53 : deny
ALL: 77.48.41.174 : deny#bh: ip: 122.166.17.253 : 1 : 2008-12-22 09:48:44 CET
#bh: ip: 216.146.46.29 : 5 : 2008-12-22 09:43:41 CET
#bh: ip: 65.111.164.53 : 4 : 2008-12-22 02:02:53 CET
#bh: ip: 77.48.41.174 : 5 : 2008-12-22 02:02:49 CET#bh: logfile:
/var/log/messages
#bh: offset: 5717251
#bh: first line:Dec 20 19:15:07 pasta syslog-ng[2148]: new configuration initialized#---- BlockHosts Additions
sshd : ALL: spawn /usr/bin/blockhosts.py & : allow -
Re:FreeBSD 6 + pf
There are various programs/scripts that deal with ssh scanning, but that's a really nice angle to it. I've been using DenyHosts on my production servers (it's in ports, I'm running 6.0-RELEASE on sparc and x86) and it's been working a treat. To name a few other ways to handle it, there's fwscan.sh, DenyHosts, fail2ban, blockhosts, bruteforceblocker (uses pf) and i'm sure i'm missing a bunch of others.
-
Re:Highly annoying
I use Python script called BlockHosts to block hosts that fail more than a given number of times in a row. These types of attacks get quite annoying so it's nice to know they're getting blocked after a few tries.
-
BlockHosts
I installed this on my server, seems to work well. Basically it keeps track of ssh attempts and after a preconfigure number of failures within a certain period of time, it bans the hosts. Hooks into tcpwrappers using hosts.allow.
-
Re:It won't be a Mac mini lookalike...
Here, check out this script:
http://www.aczoom.com/cms/blockhosts
It's a python script that will put the person into the blocked category of hosts.allow after X number of failed attempts. I've installed it recently and it's done wonders.