From owner-freebsd-hackers@FreeBSD.ORG Sun Oct 4 08:35:21 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A50E8106566B for ; Sun, 4 Oct 2009 08:35:21 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id F0D758FC0C for ; Sun, 4 Oct 2009 08:35:20 +0000 (UTC) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id 119215C025 for ; Sun, 4 Oct 2009 16:35:19 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 41F9855CE383; Sun, 4 Oct 2009 16:35:18 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id y6EWjxQM4jJC; Sun, 4 Oct 2009 16:35:11 +0800 (CST) Received: from charlie.delphij.net (c-69-181-136-105.hsd1.ca.comcast.net [69.181.136.105]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id E992C55CE379; Sun, 4 Oct 2009 16:35:09 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=poz8Z36Y05Zqgpv574g0AFFoPpG/ymAS8BECtxEaoIeVE8tIBjXiKG7qgisqywNVr jv+kF5cp7XaaWul1N5pRQ== Message-ID: <4AC85E3B.4040906@delphij.net> Date: Sun, 04 Oct 2009 01:35:07 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090803) MIME-Version: 1.0 To: Daniel O'Connor References: <20091002201039.GA53034@flint.openpave.org> <20091003081335.GA19914@marx.net.bit> <200910032357.02207.doconnor@gsoft.com.au> In-Reply-To: <200910032357.02207.doconnor@gsoft.com.au> X-Enigmail-Version: 0.96.0 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: jruohonen@iki.fi, freebsd-hackers@freebsd.org, krad Subject: Re: Distributed SSH attack X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Oct 2009 08:35:21 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel O'Connor wrote: > On Sat, 3 Oct 2009, krad wrote: >> simplest this to do is disable password auth, and use key based. > > Your logs are still full of crap though. > > I find sshguard works well, and I am fairly sure you couldn't spoof a > valid TCP connection through pf sanitising so it would be difficult > (nigh-impossible?) for someone to cause you to block a legit IP. > > If you can, changing the port sshd runs on is by far the simplest work > around. Galling as it is to have to change stuff to work around > malicious assholes.. Believe it or not, I find this pf.conf rule very effective to mitigate this type of distributed SSH botnet attack: block in quick proto tcp from any os "Linux" to any port ssh Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkrIXjsACgkQi+vbBBjt66DjhACeOJTIYbDuvAjIgYDrQ41aJcw8 +lsAoJhoUOoSL1k4Y/n/UDwqZNSUxId2 =wdkL -----END PGP SIGNATURE-----