[nSLUG] My sshd has been discovered... ;-)

Jeff Warnica jeffw at chebucto.ns.ca
Tue Aug 17 15:49:23 ADT 2004

On Tue, 2004-17-08 at 13:27 -0300, George N. White III wrote:
> On Tue, 17 Aug 2004, David Potter wrote:
> > I do think however, that allowing people to beat on machines without any 
> > risk/fear of detection shifts the risk to us and consumes phenomenal 
> > amounts of our time and energy - which could be put to more productive 
> > use.
> The only cost-effective way to put a lid on such things is for service 
> providers to block all but a few ports by default.  Then you have to 
> consider what criteria they use to decide whether to enable blocked ports 
> for certain users.  If providers hosting badly behaving machines get 
> blacklisted they will have to take steps or loose customers.  OTOH you 
> don't want to close things down so much that everything uses port 80.

Well, I don't know. It is a very complex situation. If an ISP started
blocking everything but :80, then would they still be an /Internet/
service provider? I would say not. OTHO, ISPs have some what of a
responsibility to the Internet community at large to not permit attacks
to originate from them, and something of a lesser responsibility to
prevent attacks on their users.

My idea is that ISPs should have infrastructure in place to easily
enable filtering so they can rapidly respond to specific, immediate,
threats, but otherwise be very, very, choosy about which ports they
block all the time. :25 is at the top of that list, in my mind. SMTP is
so screwed up these days, that this doesn't add much. Until both
authentication (to the server, not necessarily forced digital signing)
and something like SPF become standard, limiting outgoing random :25 is
a necessary evil.


More information about the nSLUG mailing list