Fri, 27 Jul 2007

Dear RIT ITS Department: Go away. Love, WXS

So RIT (where this machine is hosted) feels the need to try a series of different scans against various machines (I don't know how many they are scanning but I do see their failed SSH logins constantly) and it's quite annoying. I figured I have a few options for this:

  1. Do nothing and deal with (by skipping over in my logs) the attempts showing up in my logs.
  2. grep them out of my periodic log reports.
  3. Email abuse@rit.edu about RIT abusing my machine.
  4. Modify the login message to tell them to go away.
  5. Modify login to accept whatever password they give and watch what happens after (honeypot).
  6. Outright drop all connections from their scanning box.

I had been doing #1 for awhile now and it's become more annoying than anything else. Solution #2 is acceptable but comes without actually fixing the problem - it's really just an automated way of ignoring it. Solution #3 would be funny as hell but then I would have to deal with follow-up with it and quite frankly I'd rather not have to deal with RIT anymore than I have to. Solution #4 is more effort points than I want to spend. Solution #5 is just an extension of solution #4 but opens me up to attacks in the event that someone else tries the "authtest" user. So I went with solution #6.

I've never had to run a firewall on this machine because I keep my services pretty locked down and pay attention to things with both my box and exploits in the wild. I'm not saying I'm completely secure (I know I'm not) but I am saying that I liked the fact that I never had to turn on pf (or any of the other firewall choices in FreeBSD). It's for this reason that I'm going with a permit by default and deny by exception ruleset. It flies in the face of common sense when running a firewall but I'm accepting that since my main goal is to only drop those which are annoying me not secure my machine. Frankly, I'm OK with an accept by default and deny by exception ruleset in this case.

Maybe one of my handful of friends at ITS will read this and remove my machine from their scan list - if you drop drop me an email (wxs@atarininja.org).

posted at: 10:01 | tags: | path: /entries/rant | permanent link to this entry