Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: what to do?

From: Leif Ericksen <leife () dls net>
Date: Wed, 31 Aug 2005 15:23:36 -0500
YIKES. 
..."If you feel that these attacks are a serious threat then I 

would recommend doing the reverse and only allowing certain IP addresses 
through your firewall to sshd."


That is what I would do in the first place.  On my home network I have a
default rule that blocks all IPS by default.  However, I have one port
80 set up for everybody.  I love the MS directed attacks on my Linux
server so much that I created some of the directories to mess with the
kiddies. 

Now as for ssh I only allow a specific set of defined IPS through the
firewall for that services.  


IMHO best rule is first to block everything and only turn on known IPS
unless it is for a service that should be allow all... (web and email
for an internet facing server)

--
Leif Ericksen

On Fri, 2005-08-26 at 20:57 -0400, Bow Sineath wrote:
<SNIP>


I typically watch for the attacks and use ipfw or tcp wrappers to deny 
connections from IP blocks that show up in my logs. In your case I would 
deny connections from 80.68.0.0/16, however that will deny anyone from the 
80.68.0.0 subnet. If you feel that these attacks are a serious threat then I 
would recommend doing the reverse and only allowing certain IP addresses 
through your firewall to sshd.

</SNIP>
Previous By Date Next
Previous By Thread Next

Current thread: