From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 18:05:27 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A1211065673 for ; Thu, 21 Aug 2008 18:05:27 +0000 (UTC) (envelope-from mi+mill@aldan.algebra.com) Received: from mail8.sea5.speakeasy.net (mail8.sea5.speakeasy.net [69.17.117.10]) by mx1.freebsd.org (Postfix) with ESMTP id EB4878FC15 for ; Thu, 21 Aug 2008 18:05:26 +0000 (UTC) (envelope-from mi+mill@aldan.algebra.com) Received: (qmail 22230 invoked from network); 21 Aug 2008 17:38:45 -0000 Received: from aldan.algebra.com (HELO [127.0.0.1]) (mi@[216.254.65.224]) (envelope-sender ) by mail8.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 21 Aug 2008 17:38:44 -0000 Message-ID: <48ADA81E.7090106@aldan.algebra.com> Date: Thu, 21 Aug 2008 13:38:38 -0400 From: Mikhail Teterin User-Agent: Thunderbird 2.0.0.16 (X11/20080707) MIME-Version: 1.0 To: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 21 Aug 2008 18:17:09 +0000 Cc: Subject: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 18:05:27 -0000 Hello! A machine I manage remotely for a friend comes under a distributed ssh break-in attack every once in a while. Annoyed (and alarmed) by the messages like: Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 I wrote an awk-script, which adds a block of the attacking IP-address to the ipfw-rules after three such "invalid user" attempts with: ipfw add 550 deny ip from ip The script is fed by syslogd directly -- through a syslog.conf rule ("|/opt/sbin/auth-log-watch"). Once in a while I manually flush these rules... I this a good (safe) reaction? I'm asking, because the machine (currently running 7.0 as of July 7) hangs solid once every few weeks... My only guess is that a spike in attacks causes "too many" ipfw-entries created, which paralyzes the kernel due to some bug -- the machine is running natd and is the gateway for the rest of the network... The hangs could, of course, be caused by something else entirely, but my self-defense mechanism is my first suspect... Any comments? Thanks! -mi From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 18:47:24 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2492C1065676 for ; Thu, 21 Aug 2008 18:47:24 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.freebsd.org (Postfix) with ESMTP id B611B8FC25 for ; Thu, 21 Aug 2008 18:47:23 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.13.3/8.13.3) with ESMTP id m7LIVVTr008995; Thu, 21 Aug 2008 11:31:31 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.13.3/8.13.1/Submit) id m7LIVUVj008994; Thu, 21 Aug 2008 11:31:30 -0700 (PDT) (envelope-from david) Date: Thu, 21 Aug 2008 11:31:30 -0700 From: David Wolfskill To: Mikhail Teterin Message-ID: <20080821183130.GQ801@bunrab.catwhisker.org> Mail-Followup-To: David Wolfskill , Mikhail Teterin , freebsd-security@freebsd.org, freebsd-stable@freebsd.org References: <48ADA81E.7090106@aldan.algebra.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+r+clu82y77Ss1pj" Content-Disposition: inline In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 18:47:24 -0000 --+r+clu82y77Ss1pj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 21, 2008 at 01:38:38PM -0400, Mikhail Teterin wrote: > ... > I wrote an awk-script, which adds a block of the attacking IP-address to= =20 > the ipfw-rules after three such "invalid user" attempts with: >=20 > ipfw add 550 deny ip from ip >=20 > The script is fed by syslogd directly -- through a syslog.conf rule=20 > ("|/opt/sbin/auth-log-watch"). > ...=20 At a previous employer, we were building mail relay boxen (FreeBSD 6.0 - 6.2 timeframe); at one point, It Was Decided that rather than having /var/log/maillog written directly by syslogd(8), syslogd(8) would feed a Perl script that would do some "Database Things" and then get around to appending to /var/log/maillog itself. While the amount of work involved was assuredly greater in that case than in yours, those of us who were actually building and running the relays in question were very unsurprised when Postfix performance improved significantly following a redesign of the application, so that /var/log/maillog was written by syslogd(8) and the Perl script was effectively fed via "tail -F". > Once in a while I manually flush these rules... I this a good (safe)=20 > reaction? I also see such things (on my home "firewall" machine); my approach is quite a bit different. If folks are interested, I could probably discuss it a bit, but I believe that would be, at best, tangential to your note, and thus ought not be crafted as if it were part of the thread -- and definitely does not warrant the cross-post. > ... Peace, david --=20 David H. Wolfskill david@catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --+r+clu82y77Ss1pj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkittIIACgkQmprOCmdXAD22uwCfbM1kpezwsRsPJt/4t20j0LBN HSUAnjLBhFMC02ACxdm8wk1QQH7WARup =Bmrv -----END PGP SIGNATURE----- --+r+clu82y77Ss1pj-- From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 19:00:34 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 876541065674 for ; Thu, 21 Aug 2008 19:00:34 +0000 (UTC) (envelope-from oberman@es.net) Received: from postal1.es.net (postal4.es.net [198.124.252.66]) by mx1.freebsd.org (Postfix) with ESMTP id 3CA928FC28 for ; Thu, 21 Aug 2008 19:00:34 +0000 (UTC) (envelope-from oberman@es.net) Received: from postal1.es.net (postal3.es.net [198.128.3.207]) by postal4.es.net (Postal Node 4) with ESMTP (SSL) id BAS71848; Thu, 21 Aug 2008 11:49:48 -0700 Received: from ptavv.es.net (ptavv.es.net [198.128.4.29]) by postal3.es.net (Postal Node 3) with ESMTP (SSL) id BAS79347; Thu, 21 Aug 2008 11:49:47 -0700 Received: from ptavv.es.net (ptavv.es.net [127.0.0.1]) by ptavv.es.net (Tachyon Server) with ESMTP id BDAE94500F; Thu, 21 Aug 2008 11:49:47 -0700 (PDT) To: Mikhail Teterin In-Reply-To: Your message of "Thu, 21 Aug 2008 13:38:38 EDT." <48ADA81E.7090106@aldan.algebra.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1219344587_4113P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 21 Aug 2008 11:49:47 -0700 From: "Kevin Oberman" Message-Id: <20080821184947.BDAE94500F@ptavv.es.net> X-Sender-IP: 198.128.3.207 X-Sender-Domain: es.net X-Recipent: ; ; ; X-Sender: X-To_Name: Mikhail Teterin X-To_Domain: aldan.algebra.com X-To: Mikhail Teterin X-To_Email: mi+mill@aldan.algebra.com X-To_Alias: mi+mill X-Mailman-Approved-At: Thu, 21 Aug 2008 19:25:30 +0000 Cc: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 19:00:34 -0000 --==_Exmh_1219344587_4113P Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > Date: Thu, 21 Aug 2008 13:38:38 -0400 > From: Mikhail Teterin > Sender: owner-freebsd-stable@freebsd.org > > Hello! > > A machine I manage remotely for a friend comes under a distributed ssh > break-in attack every once in a while. Annoyed (and alarmed) by the > messages like: > > Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 > > I wrote an awk-script, which adds a block of the attacking IP-address to > the ipfw-rules after three such "invalid user" attempts with: > > ipfw add 550 deny ip from ip > > The script is fed by syslogd directly -- through a syslog.conf rule > ("|/opt/sbin/auth-log-watch"). > > Once in a while I manually flush these rules... I this a good (safe) > reaction? > I'm asking, because the machine (currently running 7.0 as of July 7) > hangs solid once every few weeks... My only guess is that a spike in > attacks causes "too many" ipfw-entries created, which paralyzes the > kernel due to some bug -- the machine is running natd and is the gateway > for the rest of the network... > The hangs could, of course, be caused by something else entirely, but my > self-defense mechanism is my first suspect... > > Any comments? Thanks! Looks remarkably like sshguard (ports/security/sshguard-*). It does almost exactly what you are doing but is written in C and has command-line switches to set how long a system is blocked, how many attempts constitute an attack and how long it should remember failed attempts. It also allows the use of back-end scripts if you want it to do something else such as generate reports (beyond an entry in /var/log/messages). As far as the hangs, I don't believe it is from the large nu,ber of brute force attempts as they will stop for a given host as soon as the firewall is updated. I seldom see more than a handful of attack sources over any short period. Should you want to continue with your own tool, at least for IPv4, consider using tables rather than a raft of rules. With tables, you need only a single rule and it is there at boot time. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 --==_Exmh_1219344587_4113P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Exmh version 2.5 06/03/2002 iD8DBQFIrbjLkn3rs5h7N1ERAr+5AKC6DasTJv7CXULO/qPN71qXh0/K5gCeMKPa ZXC9S7GRmW/vP4S03avkaZk= =u5hk -----END PGP SIGNATURE----- --==_Exmh_1219344587_4113P-- From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 19:49:02 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C3FE106567D for ; Thu, 21 Aug 2008 19:49:02 +0000 (UTC) (envelope-from hans@stare.cz) Received: from mail.czechdata.cz (mail.czechdata.cz [79.98.73.121]) by mx1.freebsd.org (Postfix) with ESMTP id C56D18FC16 for ; Thu, 21 Aug 2008 19:49:01 +0000 (UTC) (envelope-from hans@stare.cz) Received: from 172.17.4.37 ([172.17.4.37]) by mail.czechdata.cz (602LAN SUITE 2004) id 368e9307; Thu, 21 Aug 2008 21:36:12 +0200 Received: by www.stare.cz (Postfix, from userid 1000) id 8764630E1; Thu, 21 Aug 2008 21:36:09 +0200 (CEST) Date: Thu, 21 Aug 2008 21:36:09 +0200 From: Jan Stary To: Kevin Oberman Message-ID: <20080821193609.GA17896@www.stare.cz> References: <48ADA81E.7090106@aldan.algebra.com> <20080821184947.BDAE94500F@ptavv.es.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080821184947.BDAE94500F@ptavv.es.net> User-Agent: Mutt/1.4.2.3i Cc: Mikhail Teterin , freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 19:49:02 -0000 > Should you want to continue with your own tool, at least for IPv4, > consider using tables rather than a raft of rules. With tables, you need > only a single rule and it is there at boot time. Also, you might want to consider switching to pf which this functionality built-in. Jan From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 19:51:46 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D0AAF106566B for ; Thu, 21 Aug 2008 19:51:46 +0000 (UTC) (envelope-from neil@neely.cx) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by mx1.freebsd.org (Postfix) with ESMTP id 9187F8FC13 for ; Thu, 21 Aug 2008 19:51:46 +0000 (UTC) (envelope-from neil@neely.cx) Received: by yx-out-2324.google.com with SMTP id 8so64418yxb.13 for ; Thu, 21 Aug 2008 12:51:45 -0700 (PDT) Received: by 10.114.113.14 with SMTP id l14mr229750wac.108.1219346915983; Thu, 21 Aug 2008 12:28:35 -0700 (PDT) Received: from ?10.10.130.4? ( [216.17.230.105]) by mx.google.com with ESMTPS id 4sm344763yxj.7.2008.08.21.12.28.34 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 21 Aug 2008 12:28:34 -0700 (PDT) Message-Id: From: Neil Neely To: Mikhail Teterin In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v926) Date: Thu, 21 Aug 2008 13:28:30 -0600 References: <48ADA81E.7090106@aldan.algebra.com> X-Mailer: Apple Mail (2.926) Cc: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 19:51:46 -0000 I haven't explored this issue enough to speak with any authority - but once upon a time I had an app doing tons of ipfw rule add/removes all the time and we had no end of performance and stability problems on that box (this would have been in 4.x or so timeline I expect). As that approach wasn't really critical we abandoned it without really digging into the details. Years later a need for lots of rapid firewall changes came up again and I drilled into it and found the use of tables was excellent for doing this and it does the job very well. This is approach is on a FreeBSD 6.3 box. ipfw add 00550 deny ip from 'table(1)' to any Then just add remove entries to table 1 via: ipfw table 1 add 10.1.1.22/32 ipfw table 1 delete 10.1.1.22/32 show all entries in table 1 with: ipfw table 1 list Clear out the whole of table 1 ipfw table 1 flush I can't be sure if this relates to your particular issue, but I would recommend trying it out. Neil Neely http://neil-neely.blogspot.com On Aug 21, 2008, at 11:38 AM, Mikhail Teterin wrote: > Hello! > > A machine I manage remotely for a friend comes under a distributed > ssh break-in attack every once in a while. Annoyed (and alarmed) by > the messages like: > > Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from > 85.234.158.180 > Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from > 85.234.158.180 > Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from > 85.234.158.180 > Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from > 85.234.158.180 > > I wrote an awk-script, which adds a block of the attacking IP- > address to the ipfw-rules after three such "invalid user" attempts > with: > > ipfw add 550 deny ip from ip > > The script is fed by syslogd directly -- through a syslog.conf rule > ("|/opt/sbin/auth-log-watch"). > > Once in a while I manually flush these rules... I this a good (safe) > reaction? > I'm asking, because the machine (currently running 7.0 as of July 7) > hangs solid once every few weeks... My only guess is that a spike in > attacks causes "too many" ipfw-entries created, which paralyzes the > kernel due to some bug -- the machine is running natd and is the > gateway for the rest of the network... > The hangs could, of course, be caused by something else entirely, > but my self-defense mechanism is my first suspect... > > Any comments? Thanks! > > -mi > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 19:54:18 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F36B4106567C for ; Thu, 21 Aug 2008 19:54:17 +0000 (UTC) (envelope-from mi+mill@aldan.algebra.com) Received: from mail8.sea5.speakeasy.net (mail8.sea5.speakeasy.net [69.17.117.10]) by mx1.freebsd.org (Postfix) with ESMTP id CBDDA8FC22 for ; Thu, 21 Aug 2008 19:54:17 +0000 (UTC) (envelope-from mi+mill@aldan.algebra.com) Received: (qmail 23375 invoked from network); 21 Aug 2008 19:54:17 -0000 Received: from aldan.algebra.com (HELO [127.0.0.1]) (mi@[216.254.65.224]) (envelope-sender ) by mail8.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 21 Aug 2008 19:54:17 -0000 Message-ID: <48ADC7E7.9030907@aldan.algebra.com> Date: Thu, 21 Aug 2008 15:54:15 -0400 From: Mikhail Teterin User-Agent: Thunderbird 2.0.0.16 (X11/20080707) MIME-Version: 1.0 To: Neil Neely References: <48ADA81E.7090106@aldan.algebra.com> In-Reply-To: Content-Type: text/plain; charset=KOI8-U; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Thu, 21 Aug 2008 19:59:22 +0000 Cc: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 19:54:18 -0000 Neil Neely ΞΑΠΙΣΑΧ(ΜΑ): > I haven't explored this issue enough to speak with any authority - but > once upon a time I had an app doing tons of ipfw rule add/removes all > the time and we had no end of performance and stability problems on > that box (this would have been in 4.x or so timeline I expect). As > that approach wasn't really critical we abandoned it without really > digging into the details. > > Years later a need for lots of rapid firewall changes came up again > and I drilled into it and found the use of tables was excellent for > doing this and it does the job very well. This is approach is on a > FreeBSD 6.3 box. > > ipfw add 00550 deny ip from 'table(1)' to any > > Then just add remove entries to table 1 via: > ipfw table 1 add 10.1.1.22/32 > ipfw table 1 delete 10.1.1.22/32 > > show all entries in table 1 with: > ipfw table 1 list > > Clear out the whole of table 1 > ipfw table 1 flush > > I can't be sure if this relates to your particular issue, but I would > recommend trying it out. Thanks! I was not even aware of this functionality... Yes, I'll try that -- maybe, a bug in ipfw only hits once per 1000 invocations :-) -mi From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 20:15:18 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DB88106566C for ; Thu, 21 Aug 2008 20:15:18 +0000 (UTC) (envelope-from xi@borderworlds.dk) Received: from kazon.borderworlds.dk (kazon.borderworlds.dk [213.239.213.48]) by mx1.freebsd.org (Postfix) with ESMTP id 0B6AD8FC17 for ; Thu, 21 Aug 2008 20:15:17 +0000 (UTC) (envelope-from xi@borderworlds.dk) Received: from dominion.borderworlds.dk (localhost [127.0.0.1]) by kazon.borderworlds.dk (Postfix) with ESMTP id 681FC171EE; Thu, 21 Aug 2008 21:58:01 +0200 (CEST) Received: by dominion.borderworlds.dk (Postfix, from userid 2000) id E675E47D; Thu, 21 Aug 2008 21:58:00 +0200 (CEST) To: Mikhail Teterin References: <48ADA81E.7090106@aldan.algebra.com> From: Christian Laursen Date: Thu, 21 Aug 2008 21:58:00 +0200 In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> (Mikhail Teterin's message of "Thu\, 21 Aug 2008 13\:38\:38 -0400") Message-ID: User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 20:15:18 -0000 Mikhail Teterin writes: > A machine I manage remotely for a friend comes under a distributed ssh > break-in attack every once in a while. Annoyed (and alarmed) by the > messages like: > > Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 > > I wrote an awk-script, which adds a block of the attacking IP-address > to the ipfw-rules after three such "invalid user" attempts with: > > ipfw add 550 deny ip from ip I don't know if it will make your problem go away, but using ipfw tables for this seems to be a better idea than creating a new rule for every IP address. So you just need one rule: ipfw add 550 deny ip from table(1) And then when you want to add an IP address to the table: ipfw table 1 add You can add ranges too using the CIDR notation. -- Christian Laursen From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 20:21:23 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE47D106564A for ; Thu, 21 Aug 2008 20:21:22 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id BDDC98FC1A for ; Thu, 21 Aug 2008 20:21:22 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 15E561CC0BF; Thu, 21 Aug 2008 13:03:09 -0700 (PDT) Date: Thu, 21 Aug 2008 13:03:09 -0700 From: Jeremy Chadwick To: Mikhail Teterin Message-ID: <20080821200309.GA19634@eos.sc1.parodius.com> References: <48ADA81E.7090106@aldan.algebra.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 20:21:23 -0000 On Thu, Aug 21, 2008 at 01:38:38PM -0400, Mikhail Teterin wrote: > Hello! > > A machine I manage remotely for a friend comes under a distributed ssh > break-in attack every once in a while. Annoyed (and alarmed) by the > messages like: > > Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 > > I wrote an awk-script, which adds a block of the attacking IP-address to > the ipfw-rules after three such "invalid user" attempts with: > > ipfw add 550 deny ip from ip > > The script is fed by syslogd directly -- through a syslog.conf rule > ("|/opt/sbin/auth-log-watch"). > > Once in a while I manually flush these rules... I this a good (safe) > reaction? > I'm asking, because the machine (currently running 7.0 as of July 7) > hangs solid once every few weeks... My only guess is that a spike in > attacks causes "too many" ipfw-entries created, which paralyzes the > kernel due to some bug -- the machine is running natd and is the gateway > for the rest of the network... > The hangs could, of course, be caused by something else entirely, but my > self-defense mechanism is my first suspect... > > Any comments? Thanks! Yes, I have quite a few comments on this matter: The above looks like sshguard. I've personally never trusted something that *automatically* adjusts firewall rules based on data read from text logs or packets coming in off the Internet. The risks involved are insanely high. Stop for a moment and think what would happen to your box if a distributed brute-force attack (e.g. 300,000 different IPs) was launched against it; someone executing 20-30 SSH login attempts per IP. I'm willing to bet adding 300,000 individual ipfw entries would cause some serious havok on your machine (speculative: exhausted kernel memory, or at a bare minimum, exhaust the number of remaining ipfw rule entries) And yes, the liklihood of someone doing this is quite high. Try re-thinking your firewall logic. Instead of "allow any, deny specific IPs dynamically", how about "allow specific IPs, deny all others"? Surely you don't have that many users who SSH into the NAT router from random public IPs all over the world, rather than via the LAN? Surely if you yourself often SSH into your NAT router from a Blackberry device, that you wouldn't have much of a problem adding a /19 to the allow list. That's a hell of a lot better than allowing 0/0 and denying individual /32s. A different approach: consider putting sshd on a different port, rather than the default of 22. A lot of people I know do this, solely to decrease the number of brute-force attempts you see above; I've never seen any of those brute-force attacking programs portscan, then attack against a port which returns a OpenSSH string. Finally, consider moving to pf instead, if you really feel ipfw is what's causing your machine to crash. You might be pleasantly surprised by the syntax, and overall administrative usability (it is significantly superior to ipfw, IMHO). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 20:25:00 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE4F4106567C; Thu, 21 Aug 2008 20:25:00 +0000 (UTC) (envelope-from rink@rink.nu) Received: from mx1.rink.nu (gloom.rink.nu [213.34.49.2]) by mx1.freebsd.org (Postfix) with ESMTP id 99DC08FC1C; Thu, 21 Aug 2008 20:25:00 +0000 (UTC) (envelope-from rink@rink.nu) Received: from localhost (localhost [127.0.0.1]) by mx1.rink.nu (Postfix) with ESMTP id 609B26D455; Thu, 21 Aug 2008 22:10:52 +0200 (CEST) X-Virus-Scanned: amavisd-new at rink.nu Received: from mx1.rink.nu ([213.34.49.2]) by localhost (gloom.rink.nu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wNMVCXqmMilc; Thu, 21 Aug 2008 22:10:42 +0200 (CEST) Received: by mx1.rink.nu (Postfix, from userid 1000) id B19D56D454; Thu, 21 Aug 2008 22:10:42 +0200 (CEST) Date: Thu, 21 Aug 2008 22:10:42 +0200 From: Rink Springer To: Jeremy Chadwick Message-ID: <20080821201042.GA56182@rink.nu> References: <48ADA81E.7090106@aldan.algebra.com> <20080821200309.GA19634@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080821200309.GA19634@eos.sc1.parodius.com> User-Agent: Mutt/1.5.18 (2008-05-17) X-Mailman-Approved-At: Thu, 21 Aug 2008 21:13:25 +0000 Cc: Mikhail Teterin , freebsd-stable@FreeBSD.org, freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 20:25:01 -0000 On Thu, Aug 21, 2008 at 01:03:09PM -0700, Jeremy Chadwick wrote: > Finally, consider moving to pf instead, if you really feel ipfw is > what's causing your machine to crash. You might be pleasantly surprised > by the syntax, and overall administrative usability (it is significantly > superior to ipfw, IMHO). In fact, pf can already do this out-of-the-box, by doing something like: table persist pass quick on $wan_if proto tcp from any to any port ssh flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) If that is not an option, I have found that security/denyhosts works pretty well too (it just adds IP's to /etc/hosts.deniedssh, and host_access(5) denies them based on this) Regards, -- Rink P.W. Springer - http://rink.nu "Anyway boys, this is America. Just because you get more votes doesn't mean you win." - Fox Mulder From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 20:28:07 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1474106567C for ; Thu, 21 Aug 2008 20:28:07 +0000 (UTC) (envelope-from mi+mill@aldan.algebra.com) Received: from mail1.sea5.speakeasy.net (mail1.sea5.speakeasy.net [69.17.117.3]) by mx1.freebsd.org (Postfix) with ESMTP id 6F5CF8FC1B for ; Thu, 21 Aug 2008 20:28:07 +0000 (UTC) (envelope-from mi+mill@aldan.algebra.com) Received: (qmail 4556 invoked from network); 21 Aug 2008 20:28:06 -0000 Received: from aldan.algebra.com (HELO [127.0.0.1]) (mi@[216.254.65.224]) (envelope-sender ) by mail1.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 21 Aug 2008 20:28:06 -0000 Message-ID: <48ADCFD5.8020902@aldan.algebra.com> Date: Thu, 21 Aug 2008 16:28:05 -0400 From: Mikhail Teterin User-Agent: Thunderbird 2.0.0.16 (X11/20080707) MIME-Version: 1.0 To: Jeremy Chadwick References: <48ADA81E.7090106@aldan.algebra.com> <20080821200309.GA19634@eos.sc1.parodius.com> In-Reply-To: <20080821200309.GA19634@eos.sc1.parodius.com> Content-Type: text/plain; charset=KOI8-U; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Thu, 21 Aug 2008 21:14:23 +0000 Cc: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 20:28:07 -0000 Jeremy Chadwick ΞΑΠΙΣΑΧ(ΜΑ): > The above looks like sshguard. Yes, several people have pointed this out. Thanks! > I've personally never trusted something that *automatically* adjusts firewall rules based on data read from text > logs or packets coming in off the Internet. The risks involved are insanely high. > An IP participating in a detected attack like this one, may also be the source of another problem, which may not be detected... I can't afford to monitor this system at all times, hence the reliance on automatic defenses -- better to crash/reboot than be taken over... > Stop for a moment and think what would happen to your box if a > distributed brute-force attack (e.g. 300,000 different IPs) was launched > against it; someone executing 20-30 SSH login attempts per IP. I'm > willing to bet adding 300,000 individual ipfw entries would cause some > serious havok on your machine (speculative: exhausted kernel memory, or > at a bare minimum, exhaust the number of remaining ipfw rule entries) > Yes, this is something I'm suspecting happening. But should not there be some frantic messages, when the system is getting closer to this point? There is nothing in the logs... > Surely you don't have that many users who SSH into the NAT router from > random public IPs all over the world, rather than via the LAN? Surely > if you yourself often SSH into your NAT router from a Blackberry device, > that you wouldn't have much of a problem adding a /19 to the allow list. > That's a hell of a lot better than allowing 0/0 and denying individual > /32s. > Myself -- and the owner of the box -- travel quite a bit, ssh-ing "home" from anywhere in the world. Although we could, I suppose, find out the destination-country's IP-allocation and add it before leaving, that would be quite tedious to manage... > A different approach: consider putting sshd on a different port, rather > than the default of 22. A lot of people I know do this, solely to > decrease the number of brute-force attempts you see above; I've never > seen any of those brute-force attacking programs portscan, then attack > against a port which returns a OpenSSH string. > That's sounds kinda lame -- and temporary... Like buying an SUV to be higher (and heavier) than other cars, this only works, until everyone has an SUV :-) Once enough people move their sshd to different ports, the next release of the ssh-attack will be doing the portscanning, no doubt... Essential liberty vs. temporary security and all that :) > Finally, consider moving to pf instead, if you really feel ipfw is > what's causing your machine to crash. You might be pleasantly surprised > by the syntax, and overall administrative usability (it is significantly > superior to ipfw, IMHO). > Thanks for the suggestion... But would this solve the suspected problems with kernel memory exhaustion, etc.? Whatever the firewall method, it still needs to keep the rules memorized somewhere... Yours, -mi From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 20:31:02 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D92B8106566B for ; Thu, 21 Aug 2008 20:31:02 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outC.internet-mail-service.net (outc.internet-mail-service.net [216.240.47.226]) by mx1.freebsd.org (Postfix) with ESMTP id BB8588FC27 for ; Thu, 21 Aug 2008 20:31:02 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id EC99C24A9; Thu, 21 Aug 2008 13:31:10 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 173E22D607E; Thu, 21 Aug 2008 13:31:02 -0700 (PDT) Message-ID: <48ADD084.9070707@elischer.org> Date: Thu, 21 Aug 2008 13:31:00 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: Kevin Oberman References: <20080821184947.BDAE94500F@ptavv.es.net> In-Reply-To: <20080821184947.BDAE94500F@ptavv.es.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 21 Aug 2008 21:14:45 +0000 Cc: Mikhail Teterin , freebsd-stable@FreeBSD.org, freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 20:31:02 -0000 Kevin Oberman wrote: >> Date: Thu, 21 Aug 2008 13:38:38 -0400 >> From: Mikhail Teterin >> Sender: owner-freebsd-stable@freebsd.org >> >> Hello! >> >> A machine I manage remotely for a friend comes under a distributed ssh >> break-in attack every once in a while. Annoyed (and alarmed) by the >> messages like: >> >> Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 >> Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 >> Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 >> Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 >> >> I wrote an awk-script, which adds a block of the attacking IP-address to >> the ipfw-rules after three such "invalid user" attempts with: >> >> ipfw add 550 deny ip from ip >> >> The script is fed by syslogd directly -- through a syslog.conf rule >> ("|/opt/sbin/auth-log-watch"). >> >> Once in a while I manually flush these rules... I this a good (safe) >> reaction? >> I'm asking, because the machine (currently running 7.0 as of July 7) >> hangs solid once every few weeks... My only guess is that a spike in >> attacks causes "too many" ipfw-entries created, which paralyzes the >> kernel due to some bug -- the machine is running natd and is the gateway >> for the rest of the network... >> The hangs could, of course, be caused by something else entirely, but my >> self-defense mechanism is my first suspect... >> >> Any comments? Thanks! also, if you do this, have a single rule that uses a table and add the addresses to the table. > > Looks remarkably like sshguard (ports/security/sshguard-*). It does almost > exactly what you are doing but is written in C and has command-line > switches to set how long a system is blocked, how many attempts > constitute an attack and how long it should remember failed attempts. It > also allows the use of back-end scripts if you want it to do something > else such as generate reports (beyond an entry in /var/log/messages). > > As far as the hangs, I don't believe it is from the large nu,ber of > brute force attempts as they will stop for a given host as soon as the > firewall is updated. I seldom see more than a handful of attack sources > over any short period. > > Should you want to continue with your own tool, at least for IPv4, > consider using tables rather than a raft of rules. With tables, you need > only a single rule and it is there at boot time. From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 20:36:31 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CD2F1065674; Thu, 21 Aug 2008 20:36:31 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (cl-162.ewr-01.us.sixxs.net [IPv6:2001:4830:1200:a1::2]) by mx1.freebsd.org (Postfix) with ESMTP id D87FD8FC14; Thu, 21 Aug 2008 20:36:30 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.14.2/8.14.2) with ESMTP id m7LKb3oq047754; Thu, 21 Aug 2008 15:37:03 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.14.2/8.14.2/Submit) id m7LKb3AZ047753; Thu, 21 Aug 2008 15:37:03 -0500 (CDT) (envelope-from brooks) Date: Thu, 21 Aug 2008 15:37:03 -0500 From: Brooks Davis To: Rink Springer Message-ID: <20080821203703.GA47728@lor.one-eyed-alien.net> References: <48ADA81E.7090106@aldan.algebra.com> <20080821200309.GA19634@eos.sc1.parodius.com> <20080821201042.GA56182@rink.nu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="82I3+IH0IqGh5yIs" Content-Disposition: inline In-Reply-To: <20080821201042.GA56182@rink.nu> User-Agent: Mutt/1.5.17 (2007-11-01) X-Mailman-Approved-At: Thu, 21 Aug 2008 21:14:54 +0000 Cc: Mikhail Teterin , Jeremy Chadwick , freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 20:36:31 -0000 --82I3+IH0IqGh5yIs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 21, 2008 at 10:10:42PM +0200, Rink Springer wrote: > On Thu, Aug 21, 2008 at 01:03:09PM -0700, Jeremy Chadwick wrote: > > Finally, consider moving to pf instead, if you really feel ipfw is > > what's causing your machine to crash. You might be pleasantly surprised > > by the syntax, and overall administrative usability (it is significantly > > superior to ipfw, IMHO). >=20 > In fact, pf can already do this out-of-the-box, by doing something like: >=20 > table persist > pass quick on $wan_if proto tcp from any to any port ssh flags S/SA keep > state \ > (max-src-conn 15, max-src-conn-rate 5/3, overload flush > global) >=20 > If that is not an option, I have found that security/denyhosts works > pretty well too (it just adds IP's to /etc/hosts.deniedssh, and > host_access(5) denies them based on this) You almost certainly don't want to rate limit ssh connections, only failed ones. If you rate limit connections and use svn, you're likely to lock your self out. -- Brooks --82I3+IH0IqGh5yIs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (FreeBSD) iD8DBQFIrdHuXY6L6fI4GtQRAnmFAJsHxkpSK8Zx3QWdr/ksFolpRXNtIgCgyEbc WqAu2UPpH5xE7+ZF0xj8b+U= =qS2/ -----END PGP SIGNATURE----- --82I3+IH0IqGh5yIs-- From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 20:42:54 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7101E1065671; Thu, 21 Aug 2008 20:42:54 +0000 (UTC) (envelope-from imb@protected-networks.net) Received: from sarah.protected-networks.net (sarah.protected-networks.net [IPv6:2001:470:1f07:4e1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 302A08FC14; Thu, 21 Aug 2008 20:42:54 +0000 (UTC) (envelope-from imb@protected-networks.net) Received: from [127.0.0.1] (localhost [IPv6:::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: imb) by sarah.protected-networks.net (Postfix) with ESMTPSA id BE34360E6; Thu, 21 Aug 2008 16:42:52 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=protected-networks.net; s=200705; t=1219351372; bh=KK+AEJnLLE33So DuAFoZRMzki8FZD0G1VmIC0D446oQ=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type: Content-Transfer-Encoding; b=BloMN3c0iSvGZGYIiUDkzNFlOdFLgbQ3be08c gKftgzv1kj3heN0GNw349ZhOgsJJU2kwsA5DaS+RExKss9PWpIRbsJNbheCfaDRgiBJ +RVl1Y/j6SjYx74cBPeeZ3Dl DomainKey-Signature: a=rsa-sha1; s=200509; d=protected-networks.net; c=nofws; q=dns; h=message-id:date:from:user-agent:mime-version:to:cc:subject: references:in-reply-to:content-type:content-transfer-encoding; b=d0N4S8yomGDcQ1T+g9LqIkleRT0oCpa3uxTLD3V41lIb1XBMELRWNCFwbfyLJtDnf 7EVTvBDgsxfCKextW0U/idxsfayTFayyYtYCIZY8E+FNyuFhXWfWqliS1s9D2iY Message-ID: <48ADD33A.9030907@protected-networks.net> Date: Thu, 21 Aug 2008 16:42:34 -0400 From: Michael Butler User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: freebsd-stable@FreeBSD.org References: <48ADA81E.7090106@aldan.algebra.com> <48ADCDAD.80507@gmail.com> In-Reply-To: <48ADCDAD.80507@gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 21 Aug 2008 21:15:03 +0000 Cc: freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 20:42:54 -0000 I do something related to this with fwlogwatch although it can probably be adapted to any similar tool; when I hit the 'block' threshold, I execute something like: #!/bin/sh HR=`date "+%-k"` /sbin/ipfw table 0 add $3 ${HR} .. so each entry has a tag indicating the hour at which the block was initiated. At 5 to the hour, I run a simple cron job which does this to clean out everything older than 24 hours .. #!/bin/sh HR=`date -v+1H "+%-k"` /sbin/ipfw table 0 list >/tmp/xx.$$ cat /tmp/xx.$$ | while read LINE do set $LINE case "$2" in ${HR}) /sbin/ipfw table 0 delete $1 echo -n `date +"%H:%M:%S"` >>/var/log/fwlw_clean_log echo " fwlw_clean: removed $1 from table 0" >>/var/log/fwlw_clean_log esac done rm /tmp/xx.$$ I also have a script in /usr/local/etc/rc.d which saves the current state in the event of an orderly shutdown and restores it on boot: #!/bin/sh case "$1" in start) cat /var/db/ipfw/cache0 | while read LINE do set $LINE /sbin/ipfw table 0 add $1 $2 done ;; stop) /sbin/ipfw table 0 list >/var/db/ipfw/cache0 ;; restart) $0 $DEBUG stop $0 $DEBUG start exit $? ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 ;; esac exit 0 Of course, this only works for ipv4 because of the restriction on the ipfw table data but it's just an example, Michael From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 20:52:14 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D29D1065680 for ; Thu, 21 Aug 2008 20:52:14 +0000 (UTC) (envelope-from ebutusov@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.191]) by mx1.freebsd.org (Postfix) with ESMTP id 2904D8FC16 for ; Thu, 21 Aug 2008 20:52:13 +0000 (UTC) (envelope-from ebutusov@gmail.com) Received: by gv-out-0910.google.com with SMTP id n8so64041gve.39 for ; Thu, 21 Aug 2008 13:52:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=EDuOhvDUm+gZQaGvsDadUB4J98BJ2sp8S2PPO8moSY0=; b=HGCWiE0t4RZdWGzncpMk98VEni7lJbFJdPA+xiRa1bANEKVMHq3fVa7DXWxje5TjOC bLjg9ASyFt52/XVn3ujOxZXghTJypSifANWBh46xpspgpf2y9Cdf0zOozYQlAs6ujqE9 LJGOZby3aQXurpZBiprjVhktRB+ukpUA9tZqs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=tm1MnpScRYCsLaCsOuQ/zghqqJV91SLoQtSMBaa9Lm4m6a+aN0j933IJpTDQv4n6yD Pi6li69L3H7eMomVOyvI5ZMQlWEi7OhofChoTpo47ftf5lsY4s2sIKOasWB8hQXGYm6o Z0Mssr128tkm2GsHdPqcmSKdWL4MgkTF1ToNk= Received: by 10.210.16.17 with SMTP id 17mr287674ebp.38.1219349996538; Thu, 21 Aug 2008 13:19:56 -0700 (PDT) Received: from ?192.168.0.51? ( [195.136.67.137]) by mx.google.com with ESMTPS id d23sm1981707nfh.11.2008.08.21.13.19.55 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 21 Aug 2008 13:19:55 -0700 (PDT) Message-ID: <48ADCDAD.80507@gmail.com> Date: Thu, 21 Aug 2008 22:18:53 +0200 From: Eugene Butusov User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Mikhail Teterin References: <48ADA81E.7090106@aldan.algebra.com> In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 21 Aug 2008 21:15:16 +0000 Cc: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 20:52:14 -0000 Mikhail Teterin pisze: > Hello! > > A machine I manage remotely for a friend comes under a distributed ssh > break-in attack every once in a while. Annoyed (and alarmed) by the > messages like: > > Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 > > I wrote an awk-script, which adds a block of the attacking IP-address to > the ipfw-rules after three such "invalid user" attempts with: > > ipfw add 550 deny ip from ip > > The script is fed by syslogd directly -- through a syslog.conf rule > ("|/opt/sbin/auth-log-watch"). Hi, You should look at 'bruteblock' (ports/security), it has similar fuctionality. It also provides daemon process, bruteblockd, which is responsible for removing entries from ipfw table. Best regards, -- _/_/ .. Eugene Butusov _/_/ ... www.devilka.info _/_/ .... ebutusov(at)gmail(dot)com From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 21:37:34 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CB101065672 for ; Thu, 21 Aug 2008 21:37:34 +0000 (UTC) (envelope-from security@jim-liesl.org) Received: from smtp2.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 2B17E8FC16 for ; Thu, 21 Aug 2008 21:37:34 +0000 (UTC) (envelope-from security@jim-liesl.org) Received: (qmail 23509 invoked from network); 21 Aug 2008 14:10:56 -0700 Received: by simscan 1.1.0 ppid: 23503, pid: 23504, t: 0.0778s scanners: regex: 1.1.0 attach: 1.1.0 Received: from unknown (HELO smtp.jim-liesl.org) (66.60.173.44) by smtp2 with SMTP; 21 Aug 2008 14:10:56 -0700 Received: from smtp.jim-liesl.org (localhost.static.surewest.net [127.0.0.1]) by smtp.jim-liesl.org (Postfix) with ESMTP id F3E125DDD; Thu, 21 Aug 2008 14:10:53 -0700 (PDT) Received: from [IPv6:::1] (daemon.static.surewest.net [192.168.1.15]) by smtp.jim-liesl.org (Postfix) with ESMTP id 325FE5DDC; Thu, 21 Aug 2008 14:10:52 -0700 (PDT) Message-ID: <48ADD9DB.8060805@jim-liesl.org> Date: Thu, 21 Aug 2008 14:10:51 -0700 From: security User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Mikhail Teterin References: <48ADA81E.7090106@aldan.algebra.com> <48ADC7E7.9030907@aldan.algebra.com> In-Reply-To: <48ADC7E7.9030907@aldan.algebra.com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=KOI8-U; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP X-Mailman-Approved-At: Thu, 21 Aug 2008 22:01:08 +0000 Cc: freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 21:37:34 -0000 Mikhail Teterin wrote: > Neil Neely ΞΑΠΙΣΑΧ(ΜΑ): >> I haven't explored this issue enough to speak with any authority - >> but once upon a time I had an app doing tons of ipfw rule add/removes >> all the time and we had no end of performance and stability problems >> on that box (this would have been in 4.x or so timeline I expect). >> As that approach wasn't really critical we abandoned it without >> really digging into the details. >> >> Years later a need for lots of rapid firewall changes came up again >> and I drilled into it and found the use of tables was excellent for >> doing this and it does the job very well. This is approach is on a >> FreeBSD 6.3 box. >> >> ipfw add 00550 deny ip from 'table(1)' to any >> >> Then just add remove entries to table 1 via: >> ipfw table 1 add 10.1.1.22/32 >> ipfw table 1 delete 10.1.1.22/32 >> >> show all entries in table 1 with: >> ipfw table 1 list >> >> Clear out the whole of table 1 >> ipfw table 1 flush >> >> I can't be sure if this relates to your particular issue, but I would >> recommend trying it out. > Thanks! I was not even aware of this functionality... Yes, I'll try > that -- maybe, a bug in ipfw only hits once per 1000 invocations :-) > > -mi blocksshd uses pf and a table to contain the addresses. you might want to check it out From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 22:22:21 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6759A1065677 for ; Thu, 21 Aug 2008 22:22:21 +0000 (UTC) (envelope-from mi+mill@aldan.algebra.com) Received: from mail8.sea5.speakeasy.net (mail8.sea5.speakeasy.net [69.17.117.10]) by mx1.freebsd.org (Postfix) with ESMTP id 3E7558FC15 for ; Thu, 21 Aug 2008 22:22:21 +0000 (UTC) (envelope-from mi+mill@aldan.algebra.com) Received: (qmail 24564 invoked from network); 21 Aug 2008 22:22:20 -0000 Received: from aldan.algebra.com (HELO [127.0.0.1]) (mi@[216.254.65.224]) (envelope-sender ) by mail8.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 21 Aug 2008 22:22:20 -0000 Message-ID: <48ADEA96.70203@aldan.algebra.com> Date: Thu, 21 Aug 2008 18:22:14 -0400 From: Mikhail Teterin User-Agent: Thunderbird 2.0.0.16 (X11/20080707) MIME-Version: 1.0 To: Ross Wheeler References: <48ADA81E.7090106@aldan.algebra.com> <20080821200309.GA19634@eos.sc1.parodius.com> <48ADCFD5.8020902@aldan.algebra.com> <20080822074020.G32956@ali-syd-1.albury.net.au> In-Reply-To: <20080822074020.G32956@ali-syd-1.albury.net.au> Content-Type: text/plain; charset=KOI8-U; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Thu, 21 Aug 2008 22:58:32 +0000 Cc: freebsd-security@freebsd.org, Jeremy Chadwick , freebsd-stable@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 22:22:21 -0000 Ross Wheeler ΞΑΠΙΣΑΧ(ΜΑ): > I overcame these conflicting requirements with a 2-step process. They > "authorised" user first browsed to a website which asked their > username and password. When entered correctly, it opened a hole in the > firewall to allow that IP to their network. A timer ran every 15 > minutes to close the hole (but was over-ridden by the web page which > kept refreshing every 10 mins). The last part may not be necessary for > you, but this may be a possible workaround for your traveling access. > Leave a default of deny any except from trusted, fixed hosts, and add > transient access as required. This approach (or port-knocking of some sort) is good, but I'm not that worried about the sshd itself -- and the /detected/ attacks against it. It is the /undetected/ attacks against other services (such as apache), that worry me, and locking-out a rogue IP-address /completely/ is what I'd like to do. So your method would not work for me -- reaching the web-page (to allow myself a way back in) will be just as impossible as reaching the ssh-port... Thanks. Yours, -mi From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 22:25:32 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 31D681065679; Thu, 21 Aug 2008 22:25:32 +0000 (UTC) (envelope-from rossw@albury.net.au) Received: from mail.albury.net.au (ali-syd-1.albury.net.au [202.3.36.15]) by mx1.freebsd.org (Postfix) with ESMTP id BCC6A8FC16; Thu, 21 Aug 2008 22:25:31 +0000 (UTC) (envelope-from rossw@albury.net.au) Received: from ali-syd-1.albury.net.au (ali-syd-1.albury.net.au [202.3.36.15]) by mail.albury.net.au (8.13.6/8.13.6) with ESMTP id m7LLmDqi090234; Fri, 22 Aug 2008 07:48:14 +1000 (EST) (envelope-from rossw@albury.net.au) Date: Fri, 22 Aug 2008 07:48:13 +1000 (EST) From: Ross Wheeler To: Mikhail Teterin In-Reply-To: <48ADCFD5.8020902@aldan.algebra.com> Message-ID: <20080822074020.G32956@ali-syd-1.albury.net.au> References: <48ADA81E.7090106@aldan.algebra.com> <20080821200309.GA19634@eos.sc1.parodius.com> <48ADCFD5.8020902@aldan.algebra.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.albury.net.au [202.3.36.15]); Fri, 22 Aug 2008 07:48:14 +1000 (EST) X-Mailman-Approved-At: Thu, 21 Aug 2008 22:58:39 +0000 Cc: freebsd-security@freebsd.org, Jeremy Chadwick , freebsd-stable@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 22:25:32 -0000 On Thu, 21 Aug 2008, Mikhail Teterin wrote: >> Surely you don't have that many users who SSH into the NAT router from >> random public IPs all over the world, rather than via the LAN? Surely >> if you yourself often SSH into your NAT router from a Blackberry device, >> that you wouldn't have much of a problem adding a /19 to the allow list. >> That's a hell of a lot better than allowing 0/0 and denying individual >> /32s. >> > Myself -- and the owner of the box -- travel quite a bit, ssh-ing "home" from > anywhere in the world. Although we could, I suppose, find out the > destination-country's IP-allocation and add it before leaving, that would be > quite tedious to manage... One of my clients used to have a microwave link from my network to their office - and they were totally paranoid about remote access yet needed live IPs fr other reasons. They too needed frequent remote access from arbitary addresses. I overcame these conflicting requirements with a 2-step process. They "authorised" user first browsed to a website which asked their username and password. When entered correctly, it opened a hole in the firewall to allow that IP to their network. A timer ran every 15 minutes to close the hole (but was over-ridden by the web page which kept refreshing every 10 mins). The last part may not be necessary for you, but this may be a possible workaround for your traveling access. Leave a default of deny any except from trusted, fixed hosts, and add transient access as required. (The system did fail where your browser was proxied, but I catered for that for the "network guys" by lettig them enter an IP address to open along with their user/pass - it just defaulted to the requesting host to make it easy) YMMV. RossW From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 23:45:04 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B143106567D for ; Thu, 21 Aug 2008 23:45:04 +0000 (UTC) (envelope-from SRS0=r7rl1T=ZA=tmo.blackberry.net=draco2002@srs.bis.na.blackberry.com) Received: from smtp08.bis.na.blackberry.com (smtp08.bis.na.blackberry.com [216.9.248.55]) by mx1.freebsd.org (Postfix) with ESMTP id 627758FC15 for ; Thu, 21 Aug 2008 23:45:04 +0000 (UTC) (envelope-from SRS0=r7rl1T=ZA=tmo.blackberry.net=draco2002@srs.bis.na.blackberry.com) Received: from bxe020.bisx.prod.on.blackberry (bxe020.bisx.prod.on.blackberry [172.20.225.39]) by srs.bis.na.blackberry.com (8.13.7 TEAMON/8.13.7) with ESMTP id m7LN2gjS008214; Thu, 21 Aug 2008 23:16:01 GMT X-rim-org-msg-ref-id: 1078856133 Message-ID: <1078856133-1219360561-cardhu_decombobulator_blackberry.rim.net-634451014-@bxe020.bisx.prod.on.blackberry> Content-Transfer-Encoding: base64 X-Priority: Normal References: <48ADA81E.7090106@aldan.algebra.com> In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> Sensitivity: Normal Importance: Normal To: "Mikhail Teterin" , freebsd-security@freebsd.org From: "Dan Rowe" Date: Thu, 21 Aug 2008 23:14:31 +0000 Content-Type: text/plain MIME-Version: 1.0 Cc: Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dan@dracosplace.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 23:45:04 -0000 TWF5IG9yIG1heSBub3QgYmUgYW4gb3B0aW9uLCBidXQgY2hhbmdpbmcgdGhlIGRlZmF1bHQgcG9y dCB0aGF0IHNzaCBydW5zIG9uIHdvcmtlZCB3ZWxsIGVub3VnaCBmb3Igb3VyIG5lZWRzLiAtLUl0 IGdyZWF0bHkgcmVkdWNlZCB0aGUgbnVtYmVyIG9mIGF1dG9tYXRlZCBhdHRhY2tzIGFnYWluc3Qg dGhlIHNlcnZlcnMuDQpJdCBtaWdodCB3b3JrIHdlbGwgZW5vdWdoIHRvIGFsbG93IHlvdXIgRElZ IHNjcmlwdCB0byBrZWVwIHVwIHdpdGhvdXQgcHJvYmxlbXMuDQoNCi1kYW4NCi0tLS0tT3JpZ2lu YWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBNaWtoYWlsIFRldGVyaW4gPG1pK21pbGxAYWxkYW4uYWxn ZWJyYS5jb20+DQoNCkRhdGU6IFRodSwgMjEgQXVnIDIwMDggMTM6Mzg6MzggDQpUbzogPGZyZWVi c2Qtc2VjdXJpdHlAZnJlZWJzZC5vcmc+OyA8ZnJlZWJzZC1zdGFibGVARnJlZUJTRC5vcmc+DQpT dWJqZWN0OiBtYWNoaW5lIGhhbmdzIG9uIG9jY2FzaW9uIC0gY29ycmVsYXRlZCB3aXRoIHNzaCBi cmVhay1pbiBhdHRlbXB0cw0KDQoNCkhlbGxvIQ0KDQpBIG1hY2hpbmUgSSBtYW5hZ2UgcmVtb3Rl bHkgZm9yIGEgZnJpZW5kIGNvbWVzIHVuZGVyIGEgZGlzdHJpYnV0ZWQgc3NoDQpicmVhay1pbiBh dHRhY2sgZXZlcnkgb25jZSBpbiBhIHdoaWxlLiBBbm5veWVkIChhbmQgYWxhcm1lZCkgYnkgdGhl DQptZXNzYWdlcyBsaWtlOg0KDQpBdWcgMTIgMTA6MjE6MTcgc3ltYmlvbiBzc2hkWzQzMzNdOiBJ bnZhbGlkIHVzZXIgbXl0aHR2IGZyb20gODUuMjM0LjE1OC4xODANCkF1ZyAxMiAxMDoyMToxOCBz eW1iaW9uIHNzaGRbNDMzNV06IEludmFsaWQgdXNlciBteXRodHYgZnJvbSA4NS4yMzQuMTU4LjE4 MA0KQXVnIDEyIDEwOjIxOjIwIHN5bWJpb24gc3NoZFs0MzM3XTogSW52YWxpZCB1c2VyIG15dGh0 diBmcm9tIDg1LjIzNC4xNTguMTgwDQpBdWcgMTIgMTA6MjE6MjEgc3ltYmlvbiBzc2hkWzQzMzld OiBJbnZhbGlkIHVzZXIgbXl0aHR2IGZyb20gODUuMjM0LjE1OC4xODANCg0KSSB3cm90ZSBhbiBh d2stc2NyaXB0LCB3aGljaCBhZGRzIGEgYmxvY2sgb2YgdGhlIGF0dGFja2luZyBJUC1hZGRyZXNz IHRvDQp0aGUgaXBmdy1ydWxlcyBhZnRlciB0aHJlZSBzdWNoICJpbnZhbGlkIHVzZXIiIGF0dGVt cHRzIHdpdGg6DQoNCiAgICBpcGZ3IGFkZCA1NTAgZGVueSBpcCBmcm9tIGlwDQoNClRoZSBzY3Jp cHQgaXMgZmVkIGJ5IHN5c2xvZ2QgZGlyZWN0bHkgLS0gdGhyb3VnaCBhIHN5c2xvZy5jb25mIHJ1 bGUNCigifC9vcHQvc2Jpbi9hdXRoLWxvZy13YXRjaCIpLg0KDQpPbmNlIGluIGEgd2hpbGUgSSBt YW51YWxseSBmbHVzaCB0aGVzZSBydWxlcy4uLiBJIHRoaXMgYSBnb29kIChzYWZlKQ0KcmVhY3Rp b24/DQpJJ20gYXNraW5nLCBiZWNhdXNlIHRoZSBtYWNoaW5lIChjdXJyZW50bHkgcnVubmluZyA3 LjAgYXMgb2YgSnVseSA3KQ0KaGFuZ3Mgc29saWQgb25jZSBldmVyeSBmZXcgd2Vla3MuLi4gTXkg b25seSBndWVzcyBpcyB0aGF0IGEgc3Bpa2UgaW4NCmF0dGFja3MgY2F1c2VzICJ0b28gbWFueSIg aXBmdy1lbnRyaWVzIGNyZWF0ZWQsIHdoaWNoIHBhcmFseXplcyB0aGUNCmtlcm5lbCBkdWUgdG8g c29tZSBidWcgLS0gdGhlIG1hY2hpbmUgaXMgcnVubmluZyBuYXRkIGFuZCBpcyB0aGUgZ2F0ZXdh eQ0KZm9yIHRoZSByZXN0IG9mIHRoZSBuZXR3b3JrLi4uDQpUaGUgaGFuZ3MgY291bGQsIG9mIGNv dXJzZSwgYmUgY2F1c2VkIGJ5IHNvbWV0aGluZyBlbHNlIGVudGlyZWx5LCBidXQgbXkNCnNlbGYt ZGVmZW5zZSBtZWNoYW5pc20gaXMgbXkgZmlyc3Qgc3VzcGVjdC4uLg0KDQpBbnkgY29tbWVudHM/ IFRoYW5rcyENCg0KICAgIC1taQ0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fXw0KZnJlZWJzZC1zZWN1cml0eUBmcmVlYnNkLm9yZyBtYWlsaW5nIGxpc3QN Cmh0dHA6Ly9saXN0cy5mcmVlYnNkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2ZyZWVic2Qtc2VjdXJp dHkNClRvIHVuc3Vic2NyaWJlLCBzZW5kIGFueSBtYWlsIHRvICJmcmVlYnNkLXNlY3VyaXR5LXVu c3Vic2NyaWJlQGZyZWVic2Qub3JnIg0K From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 23:52:40 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B236106566B for ; Thu, 21 Aug 2008 23:52:40 +0000 (UTC) (envelope-from dewayne_freebsd@yahoo.com) Received: from n19.bullet.mail.mud.yahoo.com (n19.bullet.mail.mud.yahoo.com [68.142.206.146]) by mx1.freebsd.org (Postfix) with SMTP id 5D5748FC18 for ; Thu, 21 Aug 2008 23:52:40 +0000 (UTC) (envelope-from dewayne_freebsd@yahoo.com) Received: from [209.191.108.96] by n19.bullet.mail.mud.yahoo.com with NNFMP; 21 Aug 2008 23:39:33 -0000 Received: from [216.252.122.217] by t3.bullet.mud.yahoo.com with NNFMP; 21 Aug 2008 23:39:33 -0000 Received: from [69.147.84.34] by t2.bullet.sp1.yahoo.com with NNFMP; 21 Aug 2008 23:39:33 -0000 Received: from [127.0.0.1] by omp210.mail.sp1.yahoo.com with NNFMP; 21 Aug 2008 23:39:33 -0000 X-Yahoo-Newman-Property: ymail-5 X-Yahoo-Newman-Id: 663871.89794.bm@omp210.mail.sp1.yahoo.com Received: (qmail 9852 invoked by uid 60001); 21 Aug 2008 23:39:33 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Message-ID; b=4vlmdkMM4wsVpLPfGfcwS/4rRFnljTj+vpR+qxfnB6WXDPsHtiTPmitcrtxZpuJ+76OwtfLQOZhaM1XMBkJf+oMHFuRGKgvtYr7SLjZBi2htz8SsfDSCVIbMip8VTFMXaX83y7jREjCvZRE/bs9vmZkorPtz4n4G+cHBR3dp22M=; Received: from [58.172.113.127] by web46413.mail.sp1.yahoo.com via HTTP; Thu, 21 Aug 2008 16:39:32 PDT X-Mailer: YahooMailWebService/0.7.218 Date: Thu, 21 Aug 2008 16:39:32 -0700 (PDT) From: Dewayne Geraghty To: Rink Springer , Brooks Davis In-Reply-To: <20080821203703.GA47728@lor.one-eyed-alien.net> MIME-Version: 1.0 Message-ID: <446595.9807.qm@web46413.mail.sp1.yahoo.com> X-Mailman-Approved-At: Thu, 21 Aug 2008 23:58:32 +0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Mikhail Teterin , Jeremy Chadwick , freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dewayne_freebsd@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 23:52:40 -0000 There are many excellent suggestions on how to deal with invalid/unauthoris= ed access attempts via ssh.=C2=A0 I'd used sshguard for around 8 months but= recently changed to bruteblock, both are in the ports/security.=C2=A0 sshg= uard was very easy to configure, via rc.conf arguments. =C2=A0=C2=A0 Bruteb= lock handled the same problem more elegantly: uses two processes one for mo= nitoring audit.log, via a pipe and one for maintaining the ipfw table entri= es, it uses the ipfw table value with the date/time entered, and the C code= is cleaner (some optimisations are possible but this is V0.5).=C2=A0=20 If you'd like to try it here are the steps I used to get it going: Install package Configure /usr/local/etc/bruteblock-ssh.conf (Using regexp from sample, but modify parameters to suite your environment.) regexp=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) regexp1=C2=A0=C2=A0=C2=A0=C2=A0 =3D sshd.*Failed password for (?:illegal user )?\S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} # three failures in 3 minutes is blocked for a day, using ipfw2 table 10max= _count=C2=A0=C2=A0 =3D 3 within_time =3D 180 reset_ip=C2=A0=C2=A0=C2=A0 =3D 86400 ipfw2_table_no =3D 10 =C2=A0 Insert into "/etc/syslog.conf" auth.info;authpriv.info |exec /usr/local/sbin/bruteblock =E2=80=93f /usr/lo= cal/etc/bruteblock-ssh.conf Add to firewall rules (and /etc/rc.firewall)ipfw add 4 deny ip from table\(= 10\) to any ipfw add 4 deny ip from any to table\(10\)=C2=A0Add into /etc/rc.confbruteb= lockd_enable=3D"YES" bruteblockd_table=3D"10" bruteblockd_flags=3D"-s 7200"=C2=A0 # How frequently to review the ipfw tab= le for entry removal=C2=A0Now restart syslog, and start bruteblockd/etc/rc.= d/syslogd restart /usr/local/etc/rc.d/bruteblockd.sh start =0A=0A=0A Win a MacBook Air or iPod touch with Yahoo!7. http://au.docs= ..yahoo.com/homepageset From owner-freebsd-security@FreeBSD.ORG Fri Aug 22 06:59:09 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2815A106566B for ; Fri, 22 Aug 2008 06:59:09 +0000 (UTC) (envelope-from hans@stare.cz) Received: from mail.czechdata.cz (mail.czechdata.cz [79.98.73.121]) by mx1.freebsd.org (Postfix) with ESMTP id BE3B48FC14 for ; Fri, 22 Aug 2008 06:59:07 +0000 (UTC) (envelope-from hans@stare.cz) Received: from 172.17.4.37 ([172.17.4.37]) by mail.czechdata.cz (602LAN SUITE 2004) id 368e939b; Fri, 22 Aug 2008 8:58:32 +0200 Received: by www.stare.cz (Postfix, from userid 1000) id A57FB30E1; Fri, 22 Aug 2008 08:58:28 +0200 (CEST) Date: Fri, 22 Aug 2008 08:58:28 +0200 From: Jan Stary To: Ross Wheeler Message-ID: <20080822065828.GA28155@www.stare.cz> References: <48ADA81E.7090106@aldan.algebra.com> <20080821200309.GA19634@eos.sc1.parodius.com> <48ADCFD5.8020902@aldan.algebra.com> <20080822074020.G32956@ali-syd-1.albury.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080822074020.G32956@ali-syd-1.albury.net.au> User-Agent: Mutt/1.4.2.3i Cc: Mikhail Teterin , Jeremy Chadwick , freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2008 06:59:09 -0000 On Aug 22 07:48:13, Ross Wheeler wrote: > On Thu, 21 Aug 2008, Mikhail Teterin wrote: > >>Surely you don't have that many users who SSH into the NAT router from > >>random public IPs all over the world, rather than via the LAN? Surely > >>if you yourself often SSH into your NAT router from a Blackberry device, > >>that you wouldn't have much of a problem adding a /19 to the allow list. > >>That's a hell of a lot better than allowing 0/0 and denying individual > >>/32s. > >> > >Myself -- and the owner of the box -- travel quite a bit, ssh-ing "home" > >from anywhere in the world. Although we could, I suppose, find out the > >destination-country's IP-allocation and add it before leaving, that would > >be quite tedious to manage... > > One of my clients used to have a microwave link from my network to their > office - and they were totally paranoid about remote access yet needed > live IPs fr other reasons. > > They too needed frequent remote access from arbitary addresses. > > I overcame these conflicting requirements with a 2-step process. They > "authorised" user first browsed to a website which asked their username > and password. When entered correctly, it opened a hole in the firewall to > allow that IP to their network. A timer ran every 15 minutes to close the > hole (but was over-ridden by the web page which kept refreshing every 10 > mins). The last part may not be necessary for you, but this may be a > possible workaround for your traveling access. Leave a default of deny any > except from trusted, fixed hosts, and add transient access as required. Eh? Sounds like a web-based reimplementation of authpf. Jan From owner-freebsd-security@FreeBSD.ORG Fri Aug 22 08:04:17 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4929106564A; Fri, 22 Aug 2008 08:04:17 +0000 (UTC) (envelope-from derek@computinginnovations.com) Received: from betty.computinginnovations.com (mail.computinginnovations.com [64.81.227.250]) by mx1.freebsd.org (Postfix) with ESMTP id 5C3FB8FC14; Fri, 22 Aug 2008 08:04:17 +0000 (UTC) (envelope-from derek@computinginnovations.com) Received: from p28.computinginnovations.com (dhcp-10-20-30-100.computinginnovations.com [10.20.30.100]) (authenticated bits=0) by betty.computinginnovations.com (8.14.2/8.14.2) with ESMTP id m7LISTQE047849; Thu, 21 Aug 2008 13:28:30 -0500 (CDT) (envelope-from derek@computinginnovations.com) Message-Id: <6.0.0.22.2.20080821132630.026c6a48@mail.computinginnovations.com> X-Sender: derek@mail.computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Thu, 21 Aug 2008 13:28:22 -0500 To: Mikhail Teterin , freebsd-security@freebsd.org, freebsd-stable@freebsd.org From: Derek Ragona In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> References: <48ADA81E.7090106@aldan.algebra.com> Mime-Version: 1.0 X-Antivirus: avast! (VPS 080821-0, 08/21/2008), Outbound message X-Antivirus-Status: Clean X-Virus-Scanned: ClamAV 0.93.3/8068/Thu Aug 21 10:50:39 2008 on betty.computinginnovations.com X-Virus-Status: Clean X-ComputingInnovations-MailScanner-Information: Please contact the ISP for more information X-MailScanner-ID: m7LISTQE047849 X-ComputingInnovations-MailScanner: Found to be clean X-ComputingInnovations-MailScanner-From: derek@computinginnovations.com X-Spam-Status: No Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2008 08:04:17 -0000 At 12:38 PM 8/21/2008, Mikhail Teterin wrote: >Hello! > >A machine I manage remotely for a friend comes under a distributed ssh >break-in attack every once in a while. Annoyed (and alarmed) by the >messages like: > >Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 >Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 >Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 >Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 > >I wrote an awk-script, which adds a block of the attacking IP-address to >the ipfw-rules after three such "invalid user" attempts with: > > ipfw add 550 deny ip from ip > >The script is fed by syslogd directly -- through a syslog.conf rule >("|/opt/sbin/auth-log-watch"). > >Once in a while I manually flush these rules... I this a good (safe) reaction? >I'm asking, because the machine (currently running 7.0 as of July 7) hangs >solid once every few weeks... My only guess is that a spike in attacks >causes "too many" ipfw-entries created, which paralyzes the kernel due to >some bug -- the machine is running natd and is the gateway for the rest of >the network... >The hangs could, of course, be caused by something else entirely, but my >self-defense mechanism is my first suspect... > >Any comments? Thanks! > > -mi I doubt it is your script, or syslog causing the crash. It is likely a hardware problem of some type if you have this server completely patched and up-to-date for security patches. I would look at the memory, ethernet, hard disk, or power supply as the most likely candidates. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From owner-freebsd-security@FreeBSD.ORG Fri Aug 22 10:20:56 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B83F81065674 for ; Fri, 22 Aug 2008 10:20:56 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 759C88FC2E for ; Fri, 22 Aug 2008 10:20:56 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1KWTak-0004cg-CW for freebsd-security@freebsd.org; Fri, 22 Aug 2008 10:10:02 +0000 Received: from 195.208.174.178 ([195.208.174.178]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 22 Aug 2008 10:10:02 +0000 Received: from vadim_nuclight by 195.208.174.178 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 22 Aug 2008 10:10:02 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: Vadim Goncharov Date: Fri, 22 Aug 2008 09:52:49 +0000 (UTC) Organization: Nuclear Lightning @ Tomsk, TPU AVTF Hostel Lines: 42 Message-ID: References: <488F2B57.7000706@wagsky.com> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 195.208.174.178 X-Comment-To: Jeff Kletsky User-Agent: slrn/0.9.8.1 (FreeBSD) Sender: news X-Mailman-Approved-At: Fri, 22 Aug 2008 11:22:27 +0000 Subject: Re: ipfw "bug" - recv any = not recv any X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vadim_nuclight@mail.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2008 10:20:56 -0000 Hi Jeff Kletsky! On Tue, 29 Jul 2008 07:38:15 -0700; Jeff Kletsky wrote about 'Re: ipfw "bug" - recv any = not recv any': >> In practice, both "recv any" and "not recv any" appear to be "no-op" >> phrases. >> > [...] >> In my opinion, the following would be "ideal" >> >> 1) "recv any" -- matches packets that have been received by the host >> through one of its interfaces >> 2) "not recv any" -- does not match packets that have been received by >> the host through one of its interfaces >> >> Unfortunately, implementing (1) would likely break a lot of people's >> rule sets >> >> (2), however, I can't immediately see being used without expecting that >> it would fail to match packets that were received by the current host, >> so its implementation would be a bit "safer" for the community >> > Julian Elishcher suggested: >> how does "not recv *" (appropriatly escaped for your shell) do? > This does appear to "work as desired" -- suggesting documentation > clarification rather than functionality change The trouble is that 'recv any' considered useless (yes, on the input it will always match, so why spend time for additional check) and optimised by parser, effectively cut out - kernel doesn't know anything about "any". I don't know why this keyword still exist at all. BTW, if you need to check for packets originating from local host, why don't you use "from me" as most intuitive approach? > My apologies for not posting to the ipfw list. Yes, that would be better... -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight] From owner-freebsd-security@FreeBSD.ORG Fri Aug 22 14:11:37 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E33DE1065672; Fri, 22 Aug 2008 14:11:37 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 8E4D28FC08; Fri, 22 Aug 2008 14:11:31 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m7MDlxVm006045; Fri, 22 Aug 2008 09:47:59 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m7MDlwaN089762 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 22 Aug 2008 09:47:59 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200808221347.m7MDlwaN089762@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 22 Aug 2008 09:48:00 -0400 To: Brooks Davis From: Mike Tancsa In-Reply-To: <20080821203703.GA47728@lor.one-eyed-alien.net> References: <48ADA81E.7090106@aldan.algebra.com> <20080821200309.GA19634@eos.sc1.parodius.com> <20080821201042.GA56182@rink.nu> <20080821203703.GA47728@lor.one-eyed-alien.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 64.7.153.18 Cc: Mikhail Teterin , freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2008 14:11:38 -0000 At 04:37 PM 8/21/2008, Brooks Davis wrote: >On Thu, Aug 21, 2008 at 10:10:42PM +0200, Rink Springer wrote: > > On Thu, Aug 21, 2008 at 01:03:09PM -0700, Jeremy Chadwick wrote: > > > Finally, consider moving to pf instead, if you really feel ipfw is > > > what's causing your machine to crash. You might be pleasantly surprised > > > by the syntax, and overall administrative usability (it is significantly > > > superior to ipfw, IMHO). > > > > In fact, pf can already do this out-of-the-box, by doing something like: > > > > table persist > > pass quick on $wan_if proto tcp from any to any port ssh flags S/SA keep > > state \ > > (max-src-conn 15, max-src-conn-rate 5/3, overload flush > > global) > > > > If that is not an option, I have found that security/denyhosts works > > pretty well too (it just adds IP's to /etc/hosts.deniedssh, and > > host_access(5) denies them based on this) > >You almost certainly don't want to rate limit ssh connections, only failed >ones. If you rate limit connections and use svn, you're likely to lock your >self out. I find a happy balance is to exclude trusted CIDR blocks from the rate limiting and let everything else be limited. e.g. table persist table {192.168.0.0/16,1.0.0.0/24} block log quick proto tcp from to any port 22 block in log on $ext_if all pass log quick proto { tcp } from {!} to $myaddress port ssh \ flags S/SA keep state \ (max-src-conn 6, max-src-conn-rate 3/30, \ overload flush global) pass in on $ext_if inet proto tcp from to $ext_if port ssh keep state and then a crontab entry */5 * * * * /usr/local/sbin/expiretable -v -t 5m bruteforce ---Mike