From owner-freebsd-stable@FreeBSD.ORG Thu Aug 21 20:42:44 2008 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CFF2E1065682 for ; Thu, 21 Aug 2008 20:42:44 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outP.internet-mail-service.net (outp.internet-mail-service.net [216.240.47.239]) by mx1.freebsd.org (Postfix) with ESMTP id B2E838FC15 for ; Thu, 21 Aug 2008 20:42:44 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id EC99C24A9; Thu, 21 Aug 2008 13:31:10 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 173E22D607E; Thu, 21 Aug 2008 13:31:02 -0700 (PDT) Message-ID: <48ADD084.9070707@elischer.org> Date: Thu, 21 Aug 2008 13:31:00 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: Kevin Oberman References: <20080821184947.BDAE94500F@ptavv.es.net> In-Reply-To: <20080821184947.BDAE94500F@ptavv.es.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Mikhail Teterin , freebsd-stable@FreeBSD.org, freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 20:42:44 -0000 Kevin Oberman wrote: >> Date: Thu, 21 Aug 2008 13:38:38 -0400 >> From: Mikhail Teterin >> Sender: owner-freebsd-stable@freebsd.org >> >> Hello! >> >> A machine I manage remotely for a friend comes under a distributed ssh >> break-in attack every once in a while. Annoyed (and alarmed) by the >> messages like: >> >> Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 >> Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 >> Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 >> Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 >> >> I wrote an awk-script, which adds a block of the attacking IP-address to >> the ipfw-rules after three such "invalid user" attempts with: >> >> ipfw add 550 deny ip from ip >> >> The script is fed by syslogd directly -- through a syslog.conf rule >> ("|/opt/sbin/auth-log-watch"). >> >> Once in a while I manually flush these rules... I this a good (safe) >> reaction? >> I'm asking, because the machine (currently running 7.0 as of July 7) >> hangs solid once every few weeks... My only guess is that a spike in >> attacks causes "too many" ipfw-entries created, which paralyzes the >> kernel due to some bug -- the machine is running natd and is the gateway >> for the rest of the network... >> The hangs could, of course, be caused by something else entirely, but my >> self-defense mechanism is my first suspect... >> >> Any comments? Thanks! also, if you do this, have a single rule that uses a table and add the addresses to the table. > > Looks remarkably like sshguard (ports/security/sshguard-*). It does almost > exactly what you are doing but is written in C and has command-line > switches to set how long a system is blocked, how many attempts > constitute an attack and how long it should remember failed attempts. It > also allows the use of back-end scripts if you want it to do something > else such as generate reports (beyond an entry in /var/log/messages). > > As far as the hangs, I don't believe it is from the large nu,ber of > brute force attempts as they will stop for a given host as soon as the > firewall is updated. I seldom see more than a handful of attack sources > over any short period. > > Should you want to continue with your own tool, at least for IPv4, > consider using tables rather than a raft of rules. With tables, you need > only a single rule and it is there at boot time.