From owner-freebsd-stable@FreeBSD.ORG Thu Aug 21 23:52:49 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47C441065673 for ; Thu, 21 Aug 2008 23:52:49 +0000 (UTC) (envelope-from dewayne_freebsd@yahoo.com) Received: from n72.bullet.mail.sp1.yahoo.com (n72.bullet.mail.sp1.yahoo.com [98.136.44.34]) by mx1.freebsd.org (Postfix) with SMTP id 221B28FC1C for ; Thu, 21 Aug 2008 23:52:49 +0000 (UTC) (envelope-from dewayne_freebsd@yahoo.com) Received: from [216.252.122.218] by n72.bullet.mail.sp1.yahoo.com with NNFMP; 21 Aug 2008 23:39:33 -0000 Received: from [69.147.65.182] by t3.bullet.sp1.yahoo.com with NNFMP; 21 Aug 2008 23:39:33 -0000 Received: from [127.0.0.1] by omp301.mail.sp1.yahoo.com with NNFMP; 21 Aug 2008 23:39:33 -0000 X-Yahoo-Newman-Property: ymail-5 X-Yahoo-Newman-Id: 676375.99186.bm@omp301.mail.sp1.yahoo.com Received: (qmail 9852 invoked by uid 60001); 21 Aug 2008 23:39:33 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Message-ID; b=4vlmdkMM4wsVpLPfGfcwS/4rRFnljTj+vpR+qxfnB6WXDPsHtiTPmitcrtxZpuJ+76OwtfLQOZhaM1XMBkJf+oMHFuRGKgvtYr7SLjZBi2htz8SsfDSCVIbMip8VTFMXaX83y7jREjCvZRE/bs9vmZkorPtz4n4G+cHBR3dp22M=; Received: from [58.172.113.127] by web46413.mail.sp1.yahoo.com via HTTP; Thu, 21 Aug 2008 16:39:32 PDT X-Mailer: YahooMailWebService/0.7.218 Date: Thu, 21 Aug 2008 16:39:32 -0700 (PDT) From: Dewayne Geraghty To: Rink Springer , Brooks Davis In-Reply-To: <20080821203703.GA47728@lor.one-eyed-alien.net> MIME-Version: 1.0 Message-ID: <446595.9807.qm@web46413.mail.sp1.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Mikhail Teterin , Jeremy Chadwick , freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dewayne_freebsd@yahoo.com List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 23:52:49 -0000 There are many excellent suggestions on how to deal with invalid/unauthoris= ed access attempts via ssh.=C2=A0 I'd used sshguard for around 8 months but= recently changed to bruteblock, both are in the ports/security.=C2=A0 sshg= uard was very easy to configure, via rc.conf arguments. =C2=A0=C2=A0 Bruteb= lock handled the same problem more elegantly: uses two processes one for mo= nitoring audit.log, via a pipe and one for maintaining the ipfw table entri= es, it uses the ipfw table value with the date/time entered, and the C code= is cleaner (some optimisations are possible but this is V0.5).=C2=A0=20 If you'd like to try it here are the steps I used to get it going: Install package Configure /usr/local/etc/bruteblock-ssh.conf (Using regexp from sample, but modify parameters to suite your environment.) regexp=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) regexp1=C2=A0=C2=A0=C2=A0=C2=A0 =3D sshd.*Failed password for (?:illegal user )?\S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} # three failures in 3 minutes is blocked for a day, using ipfw2 table 10max= _count=C2=A0=C2=A0 =3D 3 within_time =3D 180 reset_ip=C2=A0=C2=A0=C2=A0 =3D 86400 ipfw2_table_no =3D 10 =C2=A0 Insert into "/etc/syslog.conf" auth.info;authpriv.info |exec /usr/local/sbin/bruteblock =E2=80=93f /usr/lo= cal/etc/bruteblock-ssh.conf Add to firewall rules (and /etc/rc.firewall)ipfw add 4 deny ip from table\(= 10\) to any ipfw add 4 deny ip from any to table\(10\)=C2=A0Add into /etc/rc.confbruteb= lockd_enable=3D"YES" bruteblockd_table=3D"10" bruteblockd_flags=3D"-s 7200"=C2=A0 # How frequently to review the ipfw tab= le for entry removal=C2=A0Now restart syslog, and start bruteblockd/etc/rc.= d/syslogd restart /usr/local/etc/rc.d/bruteblockd.sh start =0A=0A=0A Win a MacBook Air or iPod touch with Yahoo!7. http://au.docs= ..yahoo.com/homepageset