From owner-freebsd-questions@FreeBSD.ORG Fri Jan 1 16:05:48 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C789106566C for ; Fri, 1 Jan 2010 16:05:48 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: from mail-pz0-f185.google.com (mail-pz0-f185.google.com [209.85.222.185]) by mx1.freebsd.org (Postfix) with ESMTP id 7145A8FC13 for ; Fri, 1 Jan 2010 16:05:48 +0000 (UTC) Received: by pzk15 with SMTP id 15so9358368pzk.3 for ; Fri, 01 Jan 2010 08:05:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=OqH5IEA/2UEvGqu7cEpEcXs0fK14q9S3pIeg5vp90lo=; b=JaydxtAE2r3gEDFGLO3vUkLuHQqq6Yx+rqFdRh6CxW3GRo50Szr+uaoK2I5EowFvbY ImrzeIZu8LY5daBfRN95b1As59ijwOYAsoTUqrAu78m2NKbBaAt/Ull5Ay849ruZlfQG Y20MduqZx8kK+bExBt1YCh/uOt633b/rw4NCo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=UjN7vi0v82rGW1Z+gfPkV/DGaUJNyzM7IAXUeq5QGNkE4XUlpuPhUK297vl1uafdBW XkV/U4dDCNP8ggna+52TE34+O4HCS6lF6cTkYyg5pI7jpb3fPD6ri06g2v5WbINmOBPT 0ewO3scq7cQBNzWUXIfqJBoWHPWgEpKczOIpI= MIME-Version: 1.0 Received: by 10.142.66.13 with SMTP id o13mr13866707wfa.307.1262361945010; Fri, 01 Jan 2010 08:05:45 -0800 (PST) In-Reply-To: <4B3E0D11.1080101@pdconsec.net> References: <4B3E0D11.1080101@pdconsec.net> Date: Fri, 1 Jan 2010 10:05:44 -0600 Message-ID: <6201873e1001010805s5b9b04a9wa0c5482be84c0ec3@mail.gmail.com> From: Adam Vande More To: David Rawling Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: Blocking a slow-burning SSH bruteforce X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jan 2010 16:05:48 -0000 On Fri, Jan 1, 2010 at 8:56 AM, David Rawling wrote: > I tend to think there's not much I can do about this, but I'll ask anyway. > > I've implemented sshguard to block the normal bruteforce attacks - which > seems to be working reasonably well. > > However now I have the following: > > Jan 1 17:42:52 timeserver sshd[1755]: error: PAM: authentication error for > illegal user but from 190.146.246.36 > Jan 1 17:55:09 timeserver sshd[1788]: error: PAM: authentication error for > illegal user byung from 212.243.41.9 > Jan 1 18:07:38 timeserver sshd[1809]: error: PAM: authentication error for > illegal user cac from 148.233.140.193 > Jan 1 18:20:06 timeserver sshd[1832]: error: PAM: authentication error for > illegal user cachou from 121.52.215.180 > Jan 1 18:32:21 timeserver sshd[1851]: error: PAM: authentication error for > illegal user calla from 212.243.41.9 > Jan 1 18:44:35 timeserver sshd[1884]: error: PAM: authentication error for > illegal user calube from 83.211.160.211 > Jan 1 19:09:12 timeserver sshd[1923]: error: PAM: authentication error for > illegal user cancy from 194.51.12.238 > Jan 1 19:21:35 timeserver sshd[1946]: error: PAM: authentication error for > illegal user candice from 82.106.226.77 > Jan 1 19:46:12 timeserver sshd[1997]: error: PAM: authentication error for > illegal user candyw from 116.55.226.131 > > Now this seems to me to be a dictionary attack on timeserver, and I'd guess > that it's a botnet behind it. It's rather sophisticated since it's only > attempting 1 user and password combination per source - so it's far too > little to trigger the sshguard rules. Even if it did trigger, it wouldn't > prevent the attacks. > > Apart from switching away from user authentication to private/public keys > ... is there anything I can do to mitigate these attacks? Any advice > welcome. > > Dave. > If your passwords are complex, those attacks could come for a million years on localhost and not get anywhere let alone over a latent network. Worrying about that stuff with complex password is akin to devising a plan for repelling a Godzilla attack. Another point is these attacks typically try common passwords, it's a distributed common password attack, not a brute force. If you are concerned about this for other reasons, eg you have local users on the system and you don't enforce a password policy. there are several utilities for dealing with this. I'm not familar with sshguard, but these types of attacks are blocked quite well with denyhosts, since the ip's are recycled through eventually and you can configure the parameters for blocking. Denyhosts also has the ability to download to, and upload from a shared blocklist. -- Adam Vande More