Blacklisting (and blocking) remote sites - blt.tar.gz (0/1)
Matthew Dillon
dillon at apollo.backplane.com
Thu Dec 27 15:33:19 PST 2007
:Hi all,
:
:you probably also get your logfiles flooded with lines reporting
:failed login attempts via ftp or ssh from remote sites.
:...
:
:So here's my homebrewed blacklisting toolset, consisting of just two
:simple shell scripts and a master configuration file.
:
:Enjoy the show
:
:--Joerg
Cool stuff... I like the variable names you chose.
There are two issues that I see. The first is that the hosts.allow
file can potentially become huge... thousands or tens of thousands
of entries (or more) if you are attacked, and that could be used as a
denial of service attack against regular operations. every connect()
to your box will search the file.
The second is that I'm not sure it is safe to insert the strings
you are greping out of the BLACKLIST file (thrown into your
PISSNELKE variable) directly into the hosts.allow file like that.
You need to sanitize the contents of PISSNELKE before you can embed
it or you will be vulnerable to reverse DNS insertion attacks. For
example, what would happen if $PISSNELKE contained a ':' ? Or a
wildcard?
I'd like to see those connections denied too but the next best thing
is to not use passwords at all.... use ssh only for all machine access,
like we do on leaf.dragonflybsd.org (and every other machine I manage,
including my personal boxes).
-Matt
Matthew Dillon
<dillon at backplane.com>
More information about the Users
mailing list