From owner-freebsd-questions@FreeBSD.ORG Fri Jan 1 14:56:48 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA2E1106566B for ; Fri, 1 Jan 2010 14:56:48 +0000 (UTC) (envelope-from djr@pdconsec.net) Received: from ipmail03.adl2.internode.on.net (ipmail03.adl2.internode.on.net [203.16.214.135]) by mx1.freebsd.org (Postfix) with ESMTP id 5820D8FC08 for ; Fri, 1 Jan 2010 14:56:48 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEALOZPUuWZcBC/2dsb2JhbADIA4pbgk6BYwQ Received: from goliath.pdconsec.net (HELO smtp.pdconsec.net) ([150.101.192.66]) by ipmail03.adl2.internode.on.net with SMTP; 02 Jan 2010 01:26:46 +1030 Received: from mail1.pdconsec.net ([192.168.1.41] helo=mail1.pdconsec.net) with IPv4:25 by smtp.pdconsec.net; 2 Jan 2010 02:00:08 +1100 Received: from smtp.pdconsec.net ([192.168.1.32] RDNS failed) by mail1.pdconsec.net with Microsoft SMTPSVC(6.0.3790.3959); Sat, 2 Jan 2010 01:56:17 +1100 Received: from [10.14.6.41] ([150.101.192.69] helo=[10.14.6.41]) with IPv4:25 by smtp.pdconsec.net; 2 Jan 2010 02:00:07 +1100 Message-ID: <4B3E0D11.1080101@pdconsec.net> Date: Sat, 02 Jan 2010 01:56:17 +1100 From: David Rawling User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0 MIME-Version: 1.0 To: "freebsd-questions@FreeBSD. ORG" Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 Jan 2010 14:56:17.0266 (UTC) FILETIME=[922D9520:01CA8AF2] Subject: Blocking a slow-burning SSH bruteforce X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jan 2010 14:56:48 -0000 I tend to think there's not much I can do about this, but I'll ask anyway. I've implemented sshguard to block the normal bruteforce attacks - which seems to be working reasonably well. However now I have the following: Jan 1 17:42:52 timeserver sshd[1755]: error: PAM: authentication error for illegal user but from 190.146.246.36 Jan 1 17:55:09 timeserver sshd[1788]: error: PAM: authentication error for illegal user byung from 212.243.41.9 Jan 1 18:07:38 timeserver sshd[1809]: error: PAM: authentication error for illegal user cac from 148.233.140.193 Jan 1 18:20:06 timeserver sshd[1832]: error: PAM: authentication error for illegal user cachou from 121.52.215.180 Jan 1 18:32:21 timeserver sshd[1851]: error: PAM: authentication error for illegal user calla from 212.243.41.9 Jan 1 18:44:35 timeserver sshd[1884]: error: PAM: authentication error for illegal user calube from 83.211.160.211 Jan 1 19:09:12 timeserver sshd[1923]: error: PAM: authentication error for illegal user cancy from 194.51.12.238 Jan 1 19:21:35 timeserver sshd[1946]: error: PAM: authentication error for illegal user candice from 82.106.226.77 Jan 1 19:46:12 timeserver sshd[1997]: error: PAM: authentication error for illegal user candyw from 116.55.226.131 Now this seems to me to be a dictionary attack on timeserver, and I'd guess that it's a botnet behind it. It's rather sophisticated since it's only attempting 1 user and password combination per source - so it's far too little to trigger the sshguard rules. Even if it did trigger, it wouldn't prevent the attacks. Apart from switching away from user authentication to private/public keys ... is there anything I can do to mitigate these attacks? Any advice welcome. Dave. -- David Rawling PD Consulting And Security Mob: +61 412 135 513 Email: djr@pdconsec.net