[Intrusions] SSH brute forcers

Merton Campbell Crockett mcc at CATO.GD-AIS.COM
Wed Jun 1 16:19:34 GMT 2005 

On Tue, 31 May 2005 DHoelzer at cyber-defense.org wrote:

> At this point I'm not entirely sure who these is directed to.
> 
> <soapbox>
> 
> This comes down to survival of the fittest:  I'm immensely more interested 
> in protecting my hosts than I am in protecting yours, especially when the 
> you in yours don't seem to care that they have been compromised.  This 
> comes back to the question that I invariably get whenever I teach an 
> intrusion detection course:  "But how can 192.168.1.1 come at you from the 
> Internet.  Don't ISPs block those addresses?"
> </soapbox>


In the medical profession, there is an edict to "do no harm".  There is no 
corresponding edict in the networking and network security fields.

Everyone has ingress security policies and filters but it seems precious 
few have corresponding egress security policies and filters.

If you are not permitting CIDR blocks listed in RFC3330 into your network, 
it would be reasonable not to permit packets from or to those CIDR blocks 
to exit from your network.  Using Cisco IOS access lists, it only takes 15 
statements to filter out RFC3330 CIDR blocks and another 24 to filter out 
CIDR blocks that have not yet been assigned by IANA.

The same rules should be applied to protocols.  If you are not permitting 
IP packets into your network because the pose a risk, a prudent approach 
would not to be allow those same packets out of your network:  a "be a 
part of the solution, not a part of the problem" philosophy.

I've used this philosophy with DoD customers for some time and with great 
success but can't seem to convince our corporate IT staff of the benefits 
of this approach. :(  They seem to be happy flailing around searching for 
compromised systems instead of using the firewall logs to identify the 
systems that may have been compromised.

Merton Campbell Crockett



-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard

More information about the Intrusions mailing list