Lars NoodC)n wrote:
I suppose another option is to use pf to filter out all incoming traffic
to the servers originating from Windows computers maybe except to
relevant services like http port or https. If we could see a blanket
ban on connecting Windows machines to the net, things would improve
On 2008/01/11 12:18, Claer wrote:
> Sorry for not being that clear. I was talking about auto mailing whois
> address block abuse contacts.
maybe you could get it to auto-mail *you* with the details to make
it easier to send that onwards, but don't auto-mail whois contacts.
you're asking people to
On 2008/01/11 11:07, Jason McIntyre wrote:
> On Fri, Jan 11, 2008 at 10:51:41AM +, Stuart Henderson wrote:
> > On 2008/01/11 12:33, Lars Noodin wrote:
> > >
> > > I suppose another option is to use pf to filter out all incoming traffic
> > > to the servers originating from Windows computers
>
On Fri, Jan 11, 2008 at 11:07:49AM +0001, Jason McIntyre wrote:
| > an inclusive match is usually better e.g.
| > pass proto tcp from any os "OpenBSD" to port ssh
|
| that could be less useful if you have ipv6 connections in, no? since
| pf.os(5) claims only to be able to fingerprint hosts "that o
Niskanen <[EMAIL PROTECTED]>
To: misc@openbsd.org
Subject: Re: : SSH Brute Force Attacks Abound - and thanks!
Date: Fri, 11 Jan 2008 11:12:00 +0100
Mailer: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
On Fri, Jan 11, 2008 at 09:28:57AM +, Khalid Schofield wrote:
> put this in pf.conf
>
Peter N. M. Hansteen wrote:
> Claer <[EMAIL PROTECTED]> writes:
>
>> I always hesitate to use this trick. Could you please develop more the
>> implications of this method? Is it still effective?
>
> Yes, it's still effective. You need to put in whatever values you
> feel are appropriate for your
On Fri, Jan 11 2008 at 47:11, Peter N. M. Hansteen wrote:
> Claer <[EMAIL PROTECTED]> writes:
>
> > I always hesitate to use this trick. Could you please develop more the
> > implications of this method? Is it still effective?
> Yes, it's still effective. You need to put in whatever values you
>
On Fri, Jan 11, 2008 at 10:51:41AM +, Stuart Henderson wrote:
> On 2008/01/11 12:33, Lars Noodin wrote:
> >
> > I suppose another option is to use pf to filter out all incoming traffic
> > to the servers originating from Windows computers
>
> you can take a look for yourself with tcpdump -O,
http://home.nuug.no/~peter/pf/en/long-firewall.html#BRUTEFORCE
Best
Martin
On 2008/01/11 12:33, Lars Noodin wrote:
>
> I suppose another option is to use pf to filter out all incoming traffic
> to the servers originating from Windows computers
you can take a look for yourself with tcpdump -O, but I think you'll
find the ssh scans are more likely to be from some variety
Claer <[EMAIL PROTECTED]> writes:
> I always hesitate to use this trick. Could you please develop more the
> implications of this method? Is it still effective?
Yes, it's still effective. You need to put in whatever values you
feel are appropriate for your network and users. In Lars' example,
Claer wrote:
> On Fri, Jan 11 2008 at 24:11, Lars Nood?n wrote:
...
>> Regarding the logs, one thing that worked in the past was giving the
>> netblock owner a hard time. It's their responsibility. It's not too
>> hard to make up a shellscript (or use another scripting language) which
>> automate
On Fri, Jan 11, 2008 at 09:28:57AM +, Khalid Schofield wrote:
> put this in pf.conf
>
Is not this missing from the recipe:?
block quick from
> pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
> flags S/SA keep state \
> (max-src-conn-rate 3/30, overload flush
On Fri, Jan 11 2008 at 24:11, Lars Nood?n wrote:
> Kennith Mann III wrote:
> > ...
> > While moving the SSH port doesn't help much against anyone running an
> > nmap scan, it stops blind port 22 scans that run generic password
> > hacks and filling your logs with crap,
>
> Overloads help a bit:
>
put this in pf.conf
pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload flush
global)
:)
enjoy
On 10 Jan 2008, at 21:53, Ken wrote:
A practical example, real life, last night.
I was replacing my hard d
dam you seconds ahead of my reply with the same info :)
On 11 Jan 2008, at 09:24, Lars Noodin wrote:
Kennith Mann III wrote:
...
While moving the SSH port doesn't help much against anyone running an
nmap scan, it stops blind port 22 scans that run generic password
hacks and filling your logs
Kennith Mann III wrote:
> ...
> While moving the SSH port doesn't help much against anyone running an
> nmap scan, it stops blind port 22 scans that run generic password
> hacks and filling your logs with crap,
Overloads help a bit:
pass in on $ext_if proto tcp to ($ext_if) port ssh
On 1/10/08, Ken <[EMAIL PROTECTED]> wrote:
> I never see anything like that, since my pf rules only allow me to ssh back
> to home from my work IP range.
>
> In the space of about 15 minutes before I enabled pf all of the following
> users were tried, probably
> by an automated script:
It appe
Wow, I read your email and checked my authlog and was
astounded by the number hack attempts. Thankfully, I
configured my OpenBSD firewall with recommended access
controls. Thanks to all the dedicated OpenBSD
developers and community! Support the project and
encourage the purchase of more OpenBSD
20 matches
Mail list logo
