From owner-freebsd-questions@FreeBSD.ORG Tue Nov 15 20:38:42 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5EB1C106566C for ; Tue, 15 Nov 2011 20:38:42 +0000 (UTC) (envelope-from unix.hacker@comcast.net) Received: from qmta04.westchester.pa.mail.comcast.net (qmta04.westchester.pa.mail.comcast.net [76.96.62.40]) by mx1.freebsd.org (Postfix) with ESMTP id 235638FC14 for ; Tue, 15 Nov 2011 20:38:41 +0000 (UTC) Received: from omta10.westchester.pa.mail.comcast.net ([76.96.62.28]) by qmta04.westchester.pa.mail.comcast.net with comcast id xYdt1h0080cZkys54Yeiiw; Tue, 15 Nov 2011 20:38:42 +0000 Received: from [192.168.2.2] ([68.43.224.227]) by omta10.westchester.pa.mail.comcast.net with comcast id xYeh1h01h4uzdYs3WYeidJ; Tue, 15 Nov 2011 20:38:42 +0000 Message-ID: <4EC2CDD1.6040201@comcast.net> Date: Tue, 15 Nov 2011 15:38:41 -0500 From: Allen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <000001cc90c0$a0c16050$e24420f0$@org> <20111024180745.N45635@crusader.bac.edu> In-Reply-To: <20111024180745.N45635@crusader.bac.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Breakin attempt X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 20:38:42 -0000 On 10/24/2011 6:08 PM, William Myers wrote: > I'm seeing the same thing from the same IP adresses. > > William Myers > Associate Professor, Computer Studies > 100 Belmont-Mount Holly Road > Belmont Abbey College > Belmont, NC 28012-1802 > (704) 461-6823 > FAX: (704) 461-5051 > myers@crusader.bac.edu > > On Sat, 22 Oct 2011, Admin ValhallaProjectet wrote: > >> Hello all >> >> >> >> FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat >> Oct 22 >> 10:14:48 CEST 2011 hasse@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN >> i386 >> >> Firewall PF. >> >> Blocking China and some other related countries in that region. >> Disabled ssh root logins >> >> >> >> Apparently, I'm under some kind of attack, for the last 3 days. >> >> Lots of attempts to ssh in as root from many different IP addresses. >> >> No bruteforce attempts. >> >> This just puzzles me. Using all these resources ? To achieve what ? >> >> Below is a one hour snip from my auth.log >> >> Nothing unusual in pflog >> >> Appreciate all ideas of how to proceed with this mather. >> >> >> >> Best regards Hasse *SNIP* I wouldn't worry much about this personally; It looks like bots. Have you patched everything? Have you considered moving SSH and other known ports to different ports? Most canned exploits are going to use common methods. Therefore, if you patch your system, and move all services running to a non standard port, a lot of things no longer work. It's sort of like changing your system around in Windows to kill off most viruses that are coded in a manner that, simply moving directories around, completely disables their ability to work. Basically; Patch your system, and keep it updated with security and bug fixes; Change the Ports used by services to non standard ones. Don't ever allow root to log in remotely, and keep your filters running. Once you change the ports; Most exploits and bots cease to function, so you don't really have to worry much about it. I know of some people who actually just block all traffic except what they want allowed, and even then, they've got it running on none standard ports, and they block all of China, and even though I consider it a little racist to do that, they say it works well. -Allen