From owner-freebsd-questions@FreeBSD.ORG  Wed Sep  8 12:32:22 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 54CD116A4CE
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Sep 2004 12:32:22 +0000 (GMT)
Received: from mail6.speakeasy.net (mail6.speakeasy.net [216.254.0.206])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2A5D943D49
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Sep 2004 12:32:22 +0000 (GMT)
	(envelope-from johnmills@speakeasy.net)
Received: (qmail 3873 invoked from network); 8 Sep 2004 12:32:21 -0000
Received: from dsl027-162-100.atl1.dsl.speakeasy.net (HELO otter.localdomain)
	([216.27.162.100])
	(envelope-sender <johnmills@speakeasy.net>)
	by mail6.speakeasy.net (qmail-ldap-1.03) with SMTP
	for <hoosyerdaddy@virginia.edu>; 8 Sep 2004 12:32:21 -0000
Received: from localhost (jmills@localhost)
	by otter.localdomain (8.11.6/8.11.6) with ESMTP id i88CWL805573;
	Wed, 8 Sep 2004 12:32:22 GMT
X-Authentication-Warning: otter.localdomain: jmills owned process doing -bs
Date: Wed, 8 Sep 2004 07:32:21 -0500 (EST)
From: John Mills <johnmills@speakeasy.net>
X-X-Sender: jmills@otter.localdomain
To: FreeBSD-questions <freebsd-questions@freebsd.org>
In-Reply-To: <20040908025940.GA12835@grimoire.chen.org.nz>
Message-ID: <Pine.LNX.4.44.0409080728520.5289-100000@otter.localdomain>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: Jonathan Chen <jonc@chen.org.nz>
cc: Mike Galvez <hoosyerdaddy@virginia.edu>
Subject: Re: Tar pitting automated attacks
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: John Mills <john.m.mills@alum.mit.edu>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2004 12:32:22 -0000

Ahh -

Exactly the scenario here, except the names were different (but similar) 
and the source IP was: 64.124.210.23

Thanks.

On Wed, 8 Sep 2004, Jonathan Chen wrote:

> On Tue, Sep 07, 2004 at 09:42:16AM -0400, Mike Galvez wrote:
> > I am seeing a lot of automated attacks lately against sshd such as:
> > 
> [...]
 > > Sep  6 12:16:39 www sshd[29901]: Failed password for illegal user 
server from 159.134.244.189 port 4044 ssh2
 > > Sep  6 12:16:41 www sshd[29902]: Failed password for illegal user 
adam from 159.134.244.189 port 4072 ssh2
 ... etc

> > Is there a method to make this more expensive to the attacker, such as
> > tar-pitting?

> Put in a ipfw block on the netblock/country. At the very least it will
> make it pretty slow for the initial TCP handshake.

 - John Mills
   john.m.mills@alum.mit.edu