Menu
▾
▴
Re: [Sshguard-users] Dynamic hostnames in the whitelist
|
From: James H. <jam...@gm...> - 2016-01-26 00:48:24
|
Personally I whitelist the rfc1918 address space mostly because I'm paranoid and never want to be forced to find the monitor cable for my machines in the closet. Further since I am paranoid I also setup high priority firewall rules to always pass the rfc1918 addresses. When connecting from outside my local network I can unpredictable addresses. So white listing those isn't possible. While I could blacklist all of China, Russia, and several other places that attacks seem to originate doing so would be a bit of a work to find all those networks and could possibly grow my firewall tables to an unmanageable size. I use sshguard to react to attacks in real time. Mostly I want to shut down all further access once I start to see ssh brute forcing. My main concern is they move from ssh brute forcing to some other protocol that isn't as well protected. I also use google authenticator (https://github.com/google/google-authenticator) to apply two factor authentication to ssh logons when coming from an outside network. On Mon, Jan 25, 2016 at 4:33 PM, Kevin Zheng <kev...@gm...> wrote: > On 01/24/2016 09:40, Don Coleman wrote: > > sshguard (as of 1.6.2) operates internally on ip addresses. It maps > > hostnames to ip addresses only at startup time, and this is > > fundamentally flawed, as hostname to ip addresses mappings change over > time. > > The whitelisting feature itself might be fundamentally flawed. I believe > the original intent was to prevent self-lockouts. However, SSHGuard is > designed to mitigate brute-force attacks, so if SSHGuard was designed > perfectly (which it isn't) and you aren't brute-forcing yourself, then > you shouldn't need whitelisting. > > If you want to prevent self-lockouts, the best thing to do is add a > firewall rule that unconditionally allows your traffic. But if you can > do that, why not deny all traffic except for your own? > > If you use blacklisting, whitelisting is potentially useful. Otherwise, > SSHGuard will always unblock your address after a certain amount of > time. It shouldn't be too long since you're not brute-forcing yourself. > > I'd like to hear more from people who use some combination of > whitelisting and blacklisting: what do you use it for? I (personally) > don't use either and find it difficult to justify a correct but somewhat > complex feature as keeping hostnames updated. > > (I believe ntimed has a good solution for the "hostnames changing from > underneath you" issue. It was designed for addresses that come and go, > such as pool.ntp.org, but sounds like it could be used here.) > > Best, > Kevin > > -- > Kevin Zheng > kev...@gm... | ke...@kd... | PGP: 0xC22E1090 > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > -- James Harris Software Engineer jam...@gm... |
