Date: Wed, 7 Oct 2009 17:06:20 -0400 From: "Andresen, Jason R." <jandrese@mitre.org> To: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: RE: Distributed SSH attack Message-ID: <600C0C33850FFE49B76BDD81AED4D2580131FCB08C@IMCMBX3.MITRE.ORG> In-Reply-To: <4AC85E3B.4040906@delphij.net> References: <20091002201039.GA53034@flint.openpave.org> <20091003081335.GA19914@marx.net.bit> <d36406630910030303j2e88046epa30f2a76b9ae1507@mail.gmail.com> <200910032357.02207.doconnor@gsoft.com.au> <4AC85E3B.4040906@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: owner-freebsd-hackers@freebsd.org [mailto:owner-freebsd- >hackers@freebsd.org] On Behalf Of Xin LI >Sent: Sunday, October 04, 2009 4:35 AM >To: Daniel O'Connor >Cc: jruohonen@iki.fi; freebsd-hackers@freebsd.org; krad >Subject: Re: Distributed SSH attack > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Daniel O'Connor wrote: >> On Sat, 3 Oct 2009, krad wrote: >>> simplest this to do is disable password auth, and use key based. >> >> Your logs are still full of crap though. >> >> I find sshguard works well, and I am fairly sure you couldn't spoof a >> valid TCP connection through pf sanitising so it would be difficult >> (nigh-impossible?) for someone to cause you to block a legit IP. >> >> If you can, changing the port sshd runs on is by far the simplest work >> around. Galling as it is to have to change stuff to work around >> malicious assholes.. > >Believe it or not, I find this pf.conf rule very effective to mitigate >this type of distributed SSH botnet attack: > >block in quick proto tcp from any os "Linux" to any port ssh How does that work? Does PF do some sort of os fingerprinting on the remot= e side before allowing the first SYN through? =20 Also, if you have a mix of Linux and FreeBSD boxes, presumably this would n= ot be a great idea right? It's not just getting people who are faking it? = =20 >From what I've seen on this attack, it looks like the hosts just send rando= m logins to random IP addresses constantly, so adding an IP address to a bl= ackhole list isn't as effective because you'll be getting hits from thousan= ds of IP addresses, but only a single hit. In fact it looks like this atta= ck is specifically designed to defeat the "I'll add the attacker's IP addre= ss to a black hole list" strategy, by coming in on a different address ever= y time. =20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?600C0C33850FFE49B76BDD81AED4D2580131FCB08C>