From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 23:22:58 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ED94F16A4E8 for ; Wed, 21 Mar 2007 23:22:58 +0000 (UTC) (envelope-from carl@xena.IPAustralia.gov.au) Received: from twonetom19.sge.net (twonetom19.sge.net [152.91.2.19]) by mx1.freebsd.org (Postfix) with SMTP id 6E41B13C4CB for ; Wed, 21 Mar 2007 23:22:48 +0000 (UTC) (envelope-from carl@xena.IPAustralia.gov.au) Received: from twonetvs15.sge.net (twonetvs-om [152.91.2.17]) by twonetom19.sge.net (Postfix) with ESMTP id 23386ADB7 for ; Thu, 22 Mar 2007 09:57:27 +1100 (EST) Received: from twonetvs15.sge.net (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 019C27C143 for ; Thu, 22 Mar 2007 09:57:27 +1100 (EST) Received: from guinness.lyn.gwy (unknown [152.91.9.242]) by twonetvs15.sge.net (Postfix) with ESMTP id C4D217C1CE for ; Thu, 22 Mar 2007 09:57:26 +1100 (EST) Received: from vmail.aipo.gov.au (mail-in.ipa.lyn.gwy [192.168.254.253]) by guinness.lyn.gwy with ESMTP id l2LMvLXk016139 for ; Thu, 22 Mar 2007 09:57:21 +1100 (EST) Received: from xena.aipo.gov.au (xena.aipo.gov.au [10.0.100.52]) by vmail.aipo.gov.au (8.13.3/8.13.3) with ESMTP id l2LMvL1L013498 for ; Thu, 22 Mar 2007 09:57:21 +1100 (EST) (envelope-from carl@xena.IPAustralia.gov.au) Received: from [10.0.4.21] ([10.0.4.21]) by xena.aipo.gov.au (8.13.1/8.12.9) with ESMTP id l2LMvLKW048370 for ; Thu, 22 Mar 2007 09:57:21 +1100 (EST) (envelope-from carl@xena.ipaustralia.gov.au) Mime-Version: 1.0 (Apple Message framework v752.3) In-Reply-To: <20070321145041.GG14837@codelabs.ru> References: <20070321123033.GD31533@bunrab.catwhisker.org> <20070321092724.fd6f1541.wmoran@collaborativefusion.com> <20070321103006.c57729cc.wmoran@collaborativefusion.com> <20070321145041.GG14837@codelabs.ru> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <82953429-B11F-474B-9CB3-E055B07E9767@xena.ipaustralia.gov.au> Content-Transfer-Encoding: 7bit From: Carl Makin Date: Thu, 22 Mar 2007 09:57:22 +1100 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.752.3) X-Scanned-By: MIMEDefang 2.51 on 10.0.100.191 Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 23:22:59 -0000 On 22/03/2007, at 1:50 AM, Eygene Ryabinkin wrote: > You can use the following rule that will put very fast SSH connectors > to the pf table ssh_scans: > ----- > pass in quick on $iface proto tcp from any to $ip port 22 flags S/ > AUSPF \ > keep state (max-src-conn 4, max-src-conn-rate 6/1, overload > flush) > ----- Interesting, I really must get off my ass and look closely at pf. I use the Simple Event Correlater (sec, in ports) to parse the auth logfile and add ipfw rules blocking the originating site once it sees 3 authentication failures of any kind from a single address. One of the sec rules looks like this; ----------------------- type=SingleWithThreshold ptype=RegExp pattern=Failed password for (\S+) from (\S+) port (\S+) ssh2 desc=SSH attack from $2 action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Failed password for $1 from $2' /usr/bin/ma il -s 'SSH Attack from $2' me@myaddress.com window=60 thresh=3 ----------------------- ipfwadd.sh is just /sbin/ipfw add 25 deny log tcp from $1 to any in via tun0 ----------------------- I also have a rule that emails me whenever someone successfully logs into the system. It's not foolproof, but it helps. Carl.