[Intrusions] SSH brute forcers
Merton Campbell Crockett
mcc at CATO.GD-AIS.COM
Thu Jun 2 22:56:33 GMT 2005
On 01 Jun 2005, at 18:05, Ken Connelly wrote:
> Merton Campbell Crockett wrote:
>
>
>> Everyone has ingress security policies and filters but it seems
>> precious few have corresponding egress security policies and filters.
>>
>> If you are not permitting CIDR blocks listed in RFC3330 into your
>> network, it would be reasonable not to permit packets from or to
>> those CIDR blocks to exit from your network. Using Cisco IOS
>> access lists, it only takes 15 statements to filter out RFC3330
>> CIDR blocks and another 24 to filter out CIDR blocks that have not
>> yet been assigned by IANA.
>>
>>
> IMHO, a better egress filter is to allow only your internal public
> netblock(s) to exit.
>
In networks that I have management responsibility, the source IP
address is restricted to those CIDR blocks that are allowed access to
the Internet through the Internet Access Point with NAT being
performed for IP CIDR blocks reserved by RFC1918 for private use. I
filter the target IP address using the CIDR blocks listed in RFC3330
and IANA unassigned CIDR blocks. This has been useful in identifying
laptop systems that picked-up something while on the road or
connected to a home network.
Merton Campbell Crockett
--
Merton Campbell Crockett
mcc at CATO.GD-AIS.COM
General Dynamics Advanced Information Systems
Multi-source Intelligence Systems
Advanced Technology
112 Lakeview Canyon Road
Thousand Oaks, CA 91362-5027
More information about the Intrusions
mailing list