From owner-freebsd-stable@FreeBSD.ORG Thu Aug 21 18:49:50 2008 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 874D9106568D for ; Thu, 21 Aug 2008 18:49:50 +0000 (UTC) (envelope-from oberman@es.net) Received: from postal1.es.net (postal4.es.net [198.124.252.66]) by mx1.freebsd.org (Postfix) with ESMTP id 3E9B18FC23 for ; Thu, 21 Aug 2008 18:49:50 +0000 (UTC) (envelope-from oberman@es.net) Received: from postal1.es.net (postal3.es.net [198.128.3.207]) by postal4.es.net (Postal Node 4) with ESMTP (SSL) id BAS71848; Thu, 21 Aug 2008 11:49:48 -0700 Received: from ptavv.es.net (ptavv.es.net [198.128.4.29]) by postal3.es.net (Postal Node 3) with ESMTP (SSL) id BAS79347; Thu, 21 Aug 2008 11:49:47 -0700 Received: from ptavv.es.net (ptavv.es.net [127.0.0.1]) by ptavv.es.net (Tachyon Server) with ESMTP id BDAE94500F; Thu, 21 Aug 2008 11:49:47 -0700 (PDT) To: Mikhail Teterin In-Reply-To: Your message of "Thu, 21 Aug 2008 13:38:38 EDT." <48ADA81E.7090106@aldan.algebra.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1219344587_4113P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 21 Aug 2008 11:49:47 -0700 From: "Kevin Oberman" Message-Id: <20080821184947.BDAE94500F@ptavv.es.net> X-Sender-IP: 198.128.3.207 X-Sender-Domain: es.net X-Recipent: ; ; ; X-Sender: X-To_Name: Mikhail Teterin X-To_Domain: aldan.algebra.com X-To: Mikhail Teterin X-To_Email: mi+mill@aldan.algebra.com X-To_Alias: mi+mill Cc: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 18:49:50 -0000 --==_Exmh_1219344587_4113P Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > Date: Thu, 21 Aug 2008 13:38:38 -0400 > From: Mikhail Teterin > Sender: owner-freebsd-stable@freebsd.org > > Hello! > > A machine I manage remotely for a friend comes under a distributed ssh > break-in attack every once in a while. Annoyed (and alarmed) by the > messages like: > > Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 > > I wrote an awk-script, which adds a block of the attacking IP-address to > the ipfw-rules after three such "invalid user" attempts with: > > ipfw add 550 deny ip from ip > > The script is fed by syslogd directly -- through a syslog.conf rule > ("|/opt/sbin/auth-log-watch"). > > Once in a while I manually flush these rules... I this a good (safe) > reaction? > I'm asking, because the machine (currently running 7.0 as of July 7) > hangs solid once every few weeks... My only guess is that a spike in > attacks causes "too many" ipfw-entries created, which paralyzes the > kernel due to some bug -- the machine is running natd and is the gateway > for the rest of the network... > The hangs could, of course, be caused by something else entirely, but my > self-defense mechanism is my first suspect... > > Any comments? Thanks! Looks remarkably like sshguard (ports/security/sshguard-*). It does almost exactly what you are doing but is written in C and has command-line switches to set how long a system is blocked, how many attempts constitute an attack and how long it should remember failed attempts. It also allows the use of back-end scripts if you want it to do something else such as generate reports (beyond an entry in /var/log/messages). As far as the hangs, I don't believe it is from the large nu,ber of brute force attempts as they will stop for a given host as soon as the firewall is updated. I seldom see more than a handful of attack sources over any short period. Should you want to continue with your own tool, at least for IPv4, consider using tables rather than a raft of rules. With tables, you need only a single rule and it is there at boot time. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 --==_Exmh_1219344587_4113P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Exmh version 2.5 06/03/2002 iD8DBQFIrbjLkn3rs5h7N1ERAr+5AKC6DasTJv7CXULO/qPN71qXh0/K5gCeMKPa ZXC9S7GRmW/vP4S03avkaZk= =u5hk -----END PGP SIGNATURE----- --==_Exmh_1219344587_4113P--