From owner-freebsd-questions@FreeBSD.ORG Thu Jan 26 14:59:40 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A153516A423 for ; Thu, 26 Jan 2006 14:59:40 +0000 (GMT) (envelope-from fbsd_user@a1poweruser.com) Received: from mta10.adelphia.net (mta10.adelphia.net [68.168.78.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EB2143D5D for ; Thu, 26 Jan 2006 14:59:39 +0000 (GMT) (envelope-from fbsd_user@a1poweruser.com) Received: from barbish ([69.172.31.117]) by mta10.adelphia.net (InterMail vM.6.01.05.02 201-2131-123-102-20050715) with SMTP id <20060126145938.CRXI8657.mta10.adelphia.net@barbish>; Thu, 26 Jan 2006 09:59:38 -0500 From: "fbsd_user" To: "Paul Hamilton" , "'Daniel Gerzo'" , Date: Thu, 26 Jan 2006 09:59:36 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <00ee01c62225$4fb3de00$6600a8c0@w2k2> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Cc: questions@freebsd.org Subject: RE: auth.log & intruder prevention X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: fbsd_user@a1poweruser.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2006 14:59:40 -0000 What is happening to you is not unique. There are 4 common solutions to this problem. 1. The simplest is to add a deny rule to your firewall for the offending ip address. 2. Use the "routed blackhole" command. Example: To Add use route add -host attacker_ip 127.0.0.1 -blackhole To Delete use route delete -host attacker_ip 127.0.0.1 -blackhole To List use netstat -nr|grep 127 This is executed in the IP stack and is faster than in the firewall when you have over 20 of those special "deny this IP address" rules in the firewall. The "attacker_ip" in found in the log records in /var/log/auth.log file. You can create a script (route_blackholed_ip.sh) containing route commands for all the IP address that have attacked you in the past and save it to /usr/local/etc/rc.d/ so it will be run at boot time. *********** note ************** The problem using either of the above methods is the attacker may just use a different ip address in the same range. Depending on where your authorized traffic is coming from you can deny or blackhole the complete subnet. Even the whole xxx..0.0.0 by coding the ip address with /xx after it. *********** note end ************** 3. If you know the ip address of your authorized ssh users then add rules to your file wall to pass just those authorized ip address to port 22 and deny all else. 4. All of the about solutions will not stop the flow of traffic to port 22 driving up your bandwidth usage, just stop it from getting to ssh which is all ready doing a fine job of stopping it now. The only way to reduce the unauthorized traffic to your port 22 is not to have port 22 open. In the ssh logon command you can enter the port number you have ssh using. So change the port ssh uses and the scrip kiddies will not be able to find your ssh access port. You can change the port ssh is listening on by editing the ssh entry in /etc/services to some high number port of your choosing and then have all your ssh users include that port number in there remote login command. Allow that port number to pass in your firewall and deny port 22. This way the attackers will not see ssh port open and not waist time on you any longer. ********** to get revenge on your attackers ************************* Attackers who beat on ssh/telnet/ftp are looking to break into your box so they have to be using there real ip address to receive the response when they succeed. (ie not using spoofed ip address) If you use the ipfilter firewall you can use the FreeBSD port ppars-1.0 to read the log file and auto generate an email to the isp owner of the ip address range the attacker is using. Most ISP's around the world have usage user agreements that this attacking behavior is not allowed. In most cases the ISP will terminate the attackers account. In time your ip address will become know as place not to probe and your bandwidth usage will decline. The install guide at www.a1poweruser.com (section 6.13 Defending Against Attacks) has a more detailed explanation. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Paul Hamilton Sent: Wednesday, January 25, 2006 10:05 PM To: 'Daniel Gerzo'; Ilias.Sachpazidis@igd.fraunhofer.de Cc: questions@freebsd.org Subject: RE: auth.log & intruder prevention Hi Daniel, On your web site, you show how easy it is to convert to IPTABLES. I presume then it would be quite easy to reconfigure to use IPFW as well? Cheers, Paul > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Daniel Gerzo > Sent: Wednesday, 25 January 2006 7:58 AM > To: Ilias.Sachpazidis@igd.fraunhofer.de > Cc: questions@freebsd.org > Subject: Re: auth.log & intruder prevention > > > On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote: > > Hi Everyone, > > hello, > > > > > In auth.log of my FreeBSD boxes I got many requests to port > 22, as you > > can see below. ----begin of snippet > > Jan 22 11:21:50 zeus sshd[92900]: Failed password for > illegal user cracking > > from 65.208.188.105 port 58344 ssh2 > > Jan 22 11:21:53 zeus sshd[92902]: Failed password for > illegal user hacking > > from 65.208.188.105 port 58443 ssh2 > > ----end of snippet > > > > I am wondering if any script is available to prevent hundreds of > > attempts on port 22 from external IPs that constantly > checking user & > > passwords on my FreeBSD PCs. > > > > What I am looking for is a deamon application/script that > receives the > > recorded data from auth.log and detects if any remote client (IP > > address) is checking user and passwords (Detection pattern: > 5 missing > > attempts in 1 min). On a successful detection, the script > should add > > an ipfw rule rejecting further IP packets from the specific remote > > address. > > > > Is any script or something similar available so far? > > I've written a BruteForceBlocer, you can install it from > ports as well, check security/bruteforceblocker. > > Hope you will like it. > > -- > Sincerely, > Daniel Gerzo > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"