Re: denying spam hosts ssh access - good idea?

Mon, 11 Jan 2010 07:04:40 -0800 

Tim Judd wrote:


I've been meaning to check this out.  My firewall ssh rules are very
strict, in fact, if the remote IP is "unknown" meaning, I don't know
where the heck it's coming from, it's blocked.  It's easier to say it
this way:  I allow ssh connections from IPs I know, preferably static
IPs.

Given that there are more than one general blacklists out there that
list unwanted behavior, and that we have ports that make use of these
lists, I wonder if we can use a list (in this case, for spam)
effective for blocking ssh connections.  This means:
  install spamd
  setup pf (requirement for spamd, it is built by OpenBSD after all)
  in the pf rules, block *ANYTHING* coming from the blacklisted IPs


I don't know how effective it is, but since the spamd blacklist IPs
are hosted on what seems to be only one server/server farm, I am also
looking for any way I can provide a mirror (even if it's slightly
outdated) of this data.


Sure you can do this -- you don't even need to install spamd(8) to do
it. If all you're going to do is use the uatraps and nixspam lists to
block all traffic to your server, then you can just create a table in
pf, and load the list of addresses from those lists into it.  You may
need some very small shell scripts to strip out anything other than IP
numbers from the lists (if you use the original sources for the Nixspam
stuff from heise.de), and then print out the list of addresses into a file, one per line. 

You can load that file into a PF table very easily:

   table <blacklisted> persist file "/var/db/blacklisted.txt"

and use it to block any traffic:

   block log in quick on $ext_if from <blacklisted> to any

Then whenever you update your blacklisted.txt file, just run:

   # pfctl -t blacklisted -T replace -f /var/db/blacklisted.txt

As you say, the places where you can download those lists are few and
far between, plus they're not particularly comprehensive.  There are
bigger and better spam blocklists out there, but those are generally
served as DNS rbls which aren't feasible for hooking into PF configs.

        Cheers,

        Matthew

--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                 Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to