nanog mailing list archives
Re: Abuse Desks
From: Stephen Satchell <list () satchell net>
Date: Wed, 29 Apr 2020 09:50:42 -0700
On 4/29/20 9:24 AM, Mukund Sivaraman wrote:
If there's a lock on my door, and someone tries to pick it, you can call me at fault for having a lock on my door facing outside all you want. But the thief picking it has no business doing so, and will be guilty of a crime if caught.
This is a good start to an analogy. Let's build on it, courtesy to YouTube's "Lock Picking Lawyer". In a video, the host shows how to improve the security of a common easily-picked home lock: drill holes in the lock body, such that if someone picks the lock and tries to turn the keyway, the pins will fall into those carefully-placed holes and foil The Bad Guy(tm).
In the networking world, we use an Access Control List to limit access to the service. Unlike the simple modification shown in LPL's video, the "lock" is still usable by users from authorized IP addresses. Or, we require the use of certificates to validate access within the SSHD server itself.
Here's the deal: just blocking access or requiring certificate-based access is intrusion prevention. Having a log event when there are unsuccessful probes is intrusion [attempt] detection. Sure, the ne'er-do-well is kept out in the prevention cycle, but a persistent cracker lives by the axiom "if at first you don't succeed, try something else." You really want to stop an attacker from making a large number of attempts, such as with a Joe script.
I turn off root SSH access, pinhole 22/tcp to a limited number of IP addresses, and monitor failed SUDO attempts. As I build up my new firewall, I'll turn off public SSH access completely, and instead use a robust VPN implementation. (Which has its own issues.)
Current thread:
- Re: Abuse Desks, (continued)
- Re: Abuse Desks Mike Hammett (Apr 29)
- Re: Abuse Desks Valdis Klētnieks (Apr 29)
- Re: Abuse Desks Joe Greco (Apr 29)
- Re: Abuse Desks Mel Beckman (Apr 29)
- Re: Abuse Desks Joe Greco (Apr 29)
- Re: Abuse Desks Stephen Satchell (Apr 29)
- Re: Abuse Desks Sabri Berisha (Apr 29)
- Re: Abuse Desks Mel Beckman (Apr 29)
- Re: Abuse Desks Sabri Berisha (Apr 29)
- Re: Abuse Desks Mukund Sivaraman (Apr 29)
- Re: Abuse Desks Stephen Satchell (Apr 29)
- Re: Abuse Desks Mike Hammett (Apr 29)
- Re: Abuse Desks Stephen Satchell (Apr 29)
- Re: Abuse Desks Mike Hammett (Apr 29)
- Re: Abuse Desks Matt Corallo via NANOG (Apr 29)
- Re: Abuse Desks Mukund Sivaraman (Apr 29)
- Re: Abuse Desks Tom Beecher (Apr 29)
- Re: Abuse Desks Mukund Sivaraman (Apr 29)
- Re: Abuse Desks Tom Beecher (Apr 29)
- Re: Abuse Desks Laszlo Hanyecz (Apr 29)
- Re: Abuse Desks Brian J. Murrell (Apr 29)