From owner-freebsd-stable@FreeBSD.ORG  Thu Aug 21 18:05:27 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 159531065672
	for <freebsd-stable@FreeBSD.org>; Thu, 21 Aug 2008 18:05:27 +0000 (UTC)
	(envelope-from mi+mill@aldan.algebra.com)
Received: from mail8.sea5.speakeasy.net (mail8.sea5.speakeasy.net
	[69.17.117.10]) by mx1.freebsd.org (Postfix) with ESMTP id E709A8FC13
	for <freebsd-stable@FreeBSD.org>; Thu, 21 Aug 2008 18:05:26 +0000 (UTC)
	(envelope-from mi+mill@aldan.algebra.com)
Received: (qmail 22230 invoked from network); 21 Aug 2008 17:38:45 -0000
Received: from aldan.algebra.com (HELO [127.0.0.1]) (mi@[216.254.65.224])
	(envelope-sender <mi+mill@aldan.algebra.com>)
	by mail8.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP
	for <freebsd-security@freebsd.org>; 21 Aug 2008 17:38:44 -0000
Message-ID: <48ADA81E.7090106@aldan.algebra.com>
Date: Thu, 21 Aug 2008 13:38:38 -0400
From: Mikhail Teterin <mi+mill@aldan.algebra.com>
User-Agent: Thunderbird 2.0.0.16 (X11/20080707)
MIME-Version: 1.0
To: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: machine hangs on occasion - correlated with ssh break-in attempts
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Aug 2008 18:05:27 -0000

Hello!

A machine I manage remotely for a friend comes under a distributed ssh 
break-in attack every once in a while. Annoyed (and alarmed) by the 
messages like:

Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180

I wrote an awk-script, which adds a block of the attacking IP-address to 
the ipfw-rules after three such "invalid user" attempts with:

    ipfw add 550 deny ip from ip

The script is fed by syslogd directly -- through a syslog.conf rule 
("|/opt/sbin/auth-log-watch").

Once in a while I manually flush these rules... I this a good (safe) 
reaction?
I'm asking, because the machine (currently running 7.0 as of July 7) 
hangs solid once every few weeks... My only guess is that a spike in 
attacks causes "too many" ipfw-entries created, which paralyzes the 
kernel due to some bug -- the machine is running natd and is the gateway 
for the rest of the network...
The hangs could, of course, be caused by something else entirely, but my 
self-defense mechanism is my first suspect...

Any comments? Thanks!

    -mi