From owner-freebsd-security@FreeBSD.ORG Mon Dec 19 20:22:02 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14E2016A41F for ; Mon, 19 Dec 2005 20:22:02 +0000 (GMT) (envelope-from freebsdlist@nimahost.net) Received: from host84.nimahost.net (host84.nimahost.net [204.11.50.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2401243D6E for ; Mon, 19 Dec 2005 20:21:58 +0000 (GMT) (envelope-from freebsdlist@nimahost.net) Received: from nimahost by host84.nimahost.net with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1EoRW8-000AqM-82 for freebsd-security@freebsd.org; Mon, 19 Dec 2005 15:21:56 -0500 From: "Hadi Maleki" To: freebsd-security@freebsd.org X-Mailer: NeoMail 1.27 X-IPAddress: 67.70.84.45 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Message-Id: Date: Mon, 19 Dec 2005 15:21:56 -0500 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - host84.nimahost.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [1005 1007] / [26 6] X-AntiAbuse: Sender Address Domain - nimahost.net X-Source: X-Source-Args: X-Source-Dir: Subject: Brute Force Detection + Advanced Firewall Policy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2005 20:22:02 -0000 Any BFD/AFP softwares available for FreeBSD 4.10? Im getting flooded with ssh and ftp attempts. From owner-freebsd-security@FreeBSD.ORG Mon Dec 19 20:22:05 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AA7F16A41F for ; Mon, 19 Dec 2005 20:22:05 +0000 (GMT) (envelope-from freebsdlist@nimahost.net) Received: from host84.nimahost.net (host84.nimahost.net [204.11.50.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21F5943D7B for ; Mon, 19 Dec 2005 20:21:56 +0000 (GMT) (envelope-from freebsdlist@nimahost.net) Received: from nimahost by host84.nimahost.net with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1EoRW4-000AqG-O2 for freebsd-security@freebsd.org; Mon, 19 Dec 2005 15:21:52 -0500 From: "Hadi Maleki" To: freebsd-security@freebsd.org X-Mailer: NeoMail 1.27 X-IPAddress: 67.70.84.45 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Message-Id: Date: Mon, 19 Dec 2005 15:21:52 -0500 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - host84.nimahost.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [1005 1007] / [26 6] X-AntiAbuse: Sender Address Domain - nimahost.net X-Source: X-Source-Args: X-Source-Dir: Subject: Brute Force Detection + Advanced Firewall Policy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2005 20:22:05 -0000 Any BFD/AFP softwares available for FreeBSD 4.10? Im getting flooded with ssh and ftp attempts. From owner-freebsd-security@FreeBSD.ORG Mon Dec 19 20:23:22 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3AF3116A41F for ; Mon, 19 Dec 2005 20:23:22 +0000 (GMT) (envelope-from freebsdlist@nimahost.net) Received: from host84.nimahost.net (host84.nimahost.net [204.11.50.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0328243D6A for ; Mon, 19 Dec 2005 20:22:52 +0000 (GMT) (envelope-from freebsdlist@nimahost.net) Received: from nimahost by host84.nimahost.net with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1EoRWz-000Aqs-WA for freebsd-security@freebsd.org; Mon, 19 Dec 2005 15:22:50 -0500 From: "Hadi Maleki" To: freebsd-security@freebsd.org X-Mailer: NeoMail 1.27 X-IPAddress: 67.70.84.45 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Message-Id: Date: Mon, 19 Dec 2005 15:22:49 -0500 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - host84.nimahost.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [1005 1007] / [26 6] X-AntiAbuse: Sender Address Domain - nimahost.net X-Source: X-Source-Args: X-Source-Dir: Subject: Brute Force Detection + Advanced Firewall Policy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2005 20:23:22 -0000 Any BFD/AFP softwares available for FreeBSD 4.10? Im getting flooded with ssh and ftp attempts. From owner-freebsd-security@FreeBSD.ORG Mon Dec 19 21:03:31 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07D1116A41F for ; Mon, 19 Dec 2005 21:03:31 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: from web30311.mail.mud.yahoo.com (web30311.mail.mud.yahoo.com [68.142.201.229]) by mx1.FreeBSD.org (Postfix) with SMTP id 3C3F343D5C for ; Mon, 19 Dec 2005 21:03:30 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 90109 invoked by uid 60001); 19 Dec 2005 21:03:29 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=NOLT4zIheCIHsAiDEe99StS7tk4Ym6JR52t/fVH/FVlAURe+2g5UvaRjlQ+sxAC0rxE1PoV1x/45lMT6kHKwxqn4RAg6y7IvWkoyCK7sUOs9kNpzzfBT+Oi7ILyuDFGpd8jjxGo+oKjh3pFc2cE+m7IvHSr+ys5ft9iC2cYzegM= ; Message-ID: <20051219210329.90107.qmail@web30311.mail.mud.yahoo.com> Received: from [213.54.92.190] by web30311.mail.mud.yahoo.com via HTTP; Mon, 19 Dec 2005 13:03:29 PST Date: Mon, 19 Dec 2005 13:03:29 -0800 (PST) From: Arne Woerner To: freebsd-security@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Brute Force Detection + Advanced Firewall Policy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2005 21:03:31 -0000 --- Hadi Maleki wrote: > Any BFD/AFP softwares available for FreeBSD 4.10? > > Im getting flooded with ssh and ftp attempts. > What about a "white list"? I mean, three rules that blocks all incoming traffic to those ports (21, 22, the others), and then a rule for each "good IP" that allows the connection... Some time ago I have read in this list something about attempts to guess a SSH username and password... Maybe u can find that thread in the archive via the Websearch interface? Maybe it helps to disallow password athentication, because DSA public key authentication is much more fun for users and admins... :-)) -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Mon Dec 19 21:28:21 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D6C416A41F for ; Mon, 19 Dec 2005 21:28:21 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from crivens.unixoid.de (crivens.unixoid.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F70E43D5D for ; Mon, 19 Dec 2005 21:28:20 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.unixoid.de (Postfix) with ESMTP id 4506F413A; Mon, 19 Dec 2005 22:28:18 +0100 (CET) Received: from crivens.unixoid.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 65535-07; Mon, 19 Dec 2005 22:28:14 +0100 (CET) Received: from [85.178.84.52] (e178084052.adsl.alicedsl.de [85.178.84.52]) by crivens.unixoid.de (Postfix) with ESMTP id AF26F4132; Mon, 19 Dec 2005 22:28:14 +0100 (CET) Message-ID: <43A725ED.5090502@kernel32.de> Date: Mon, 19 Dec 2005 22:28:13 +0100 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Hadi Maleki References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at unixoid.de Cc: freebsd-security@freebsd.org Subject: Re: Brute Force Detection + Advanced Firewall Policy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2005 21:28:21 -0000 Hi there, Hadi Maleki wrote: > Any BFD/AFP softwares available for FreeBSD 4.10? > If you would update to a recent FreeBSD Release, you could probably use some nice pf(4) things... > Im getting flooded with ssh and ftp attempts. > I recently stumbled over quite a nice pf.conf (see man pfctl for details), which blacklists for instance ssh connections if the occur to often in a certain amount of time. For Example: # sshspammer table table persist block log quick from # sshspammer # more than 6 ssh attempts in 15 seconds will be blocked ;) pass in quick on $ext_if proto tcp to ($ext_if) port ssh $tcp_flags (max-src-conn 10, max-src-conn-rate 6/15, overload flush global) HTH, Marian From owner-freebsd-security@FreeBSD.ORG Mon Dec 19 21:29:00 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC76A16A41F for ; Mon, 19 Dec 2005 21:29:00 +0000 (GMT) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3106043D68 for ; Mon, 19 Dec 2005 21:29:00 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.17.229]) ([10.251.17.229]) by a50.ironport.com with ESMTP; 19 Dec 2005 13:28:59 -0800 X-IronPort-Anti-Spam-Filtered: true Message-ID: <43A7261A.3090401@elischer.org> Date: Mon, 19 Dec 2005 13:28:58 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.11) Gecko/20050727 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Arne Woerner References: <20051219210329.90107.qmail@web30311.mail.mud.yahoo.com> In-Reply-To: <20051219210329.90107.qmail@web30311.mail.mud.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 19 Dec 2005 21:38:24 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Brute Force Detection + Advanced Firewall Policy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2005 21:29:00 -0000 Arne Woerner wrote: >--- Hadi Maleki wrote: > > >>Any BFD/AFP softwares available for FreeBSD 4.10? >> >>Im getting flooded with ssh and ftp attempts. >> >> >> >What about a "white list"? I mean, three rules that blocks all >incoming traffic to those ports (21, 22, the others), and then a >rule for each "good IP" that allows the connection... > >Some time ago I have read in this list something about attempts to >guess a SSH username and password... Maybe u can find that thread >in the archive via the Websearch interface? > >Maybe it helps to disallow password athentication, because DSA >public key authentication is much more fun for users and admins... > > possibly look into port-knocking.. >:-)) > >-Arne > > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Tue Dec 20 13:50:24 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9057616A41F for ; Tue, 20 Dec 2005 13:50:24 +0000 (GMT) (envelope-from xspeed75@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id A451743D55 for ; Tue, 20 Dec 2005 13:50:23 +0000 (GMT) (envelope-from xspeed75@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so1522616nzd for ; Tue, 20 Dec 2005 05:50:23 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:from:to:cc:subject:date:mime-version:content-type:x-mailer:thread-index:in-reply-to:x-mimeole:message-id; b=JM2pdQW1P3nCytVKO68tvj7pgHV9+WzDHyeb9haAAqe59y/gP6vEXjkSXTDt6QdNN/X8Ej4U+45cND0xN66UBYkz6vcSIFbI16wzZ7/ViIXkCKpuMcs3i6FCpbG1DgK5stFAvDWScGTNl2R7G4W4+dQJN5aS4ITuX5yFOzSdWQY= Received: by 10.36.221.45 with SMTP id t45mr6928770nzg; Tue, 20 Dec 2005 05:50:22 -0800 (PST) Received: from xbox ( [202.156.181.203]) by mx.gmail.com with ESMTP id 12sm8579798nzn.2005.12.20.05.50.19; Tue, 20 Dec 2005 05:50:22 -0800 (PST) From: "Xspeed" To: Date: Tue, 20 Dec 2005 21:50:41 +0800 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcYFXQ5/4x7V5HHZTMC5B5hiC2U0DwADdEYg In-Reply-To: <20051220120044.18A4316A423@hub.freebsd.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: <43a80c1e.573681cb.2001.4c33@mx.gmail.com> X-Mailman-Approved-At: Tue, 20 Dec 2005 13:58:22 +0000 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: 'Hadi Maleki' Subject: Re: Brute Force Detection + Advanced Firewall Policy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2005 13:50:24 -0000 I found this script very good. http://nullmind.com/2005/02/03/brute-force-detection-linuxbsd/ However, it had a limitation when using IPFW1 to block the attacker. I made modifications to the script to take care of it. Below was a post I made to a forum. =================================== I'm using IPFW1 to block out the attackers. Using the unblock command "ipfw delete 400" removes all attackers at the same time. It would allow attackers in before the block period is up if a previous unblock command was scheduled. I needed the script to assign diff ipfw block rule numbers, so I can specifically block an attacker for the specified block time. I modified the script and set it to use a range of rule number from 230 to 290. You can change this range with your own. I'm using IPFW1 to block out the attackers. As mentioned by lionspark in his post on 03-15-05, 02:17 in that using the unblock command "ipfw delete 400" removes all attackers at the same time. It would allow attackers in before the block period is up if a previous unblock command was scheduled. I needed the script to assign diff ipfw block rule numbers, so I can specifically block an attacker for the specified block time. I modified the script and set it to use a range of rule number from 230 to 290. You can change this range with your own. 1) in the hspherebfd installation directory, under /tmp (i.e. /usr/local/bin/hspherebfd/tmp): create a file ".rulenum" insert in the value "230" (this is the starting ipfw rule nos to use. Change if you are using other nos) save the file 2) in hspherebfd, i made the following changes (around line 110): if ($autoblock == 1) { $rulenum_file="$instdir/tmp/.rulenum"; if ( -e $rulenum_file) { $curr_rule_nos=`cat $rulenum_file`; $curr_rule_nos=~s/\n//; } $command=$block_cmd; $command=~s/attacker/$attacker/g; $command=~s/rulenum/$curr_rule_nos/g; system("$command"); $actions.="Blocked the attacker at firewall using: " . $command . "\n"; #See if curr_rule_nos is still within the range of ipfw rule nos to use if ($curr_rule_nos==$rulenummax) { $new_rule_nos = $rulenumstart; } else { $new_rule_nos = $curr_rule_nos+1; } #Write the new rule nos to use into file storing the rulenum open(FILEWRITER,"> $rulenum_file"); print FILEWRITER $new_rule_nos; close (FILEWRITER); } if ($autounblock == 1) { $command=$unblock_cmd; $command=~s/attacker/$attacker/g; $command=~s/rulenum/$curr_rule_nos/g; system("echo '$command' | at +" . $timelimit); $actions.="Set auto unblock of attacker at firewall using: " . $command . "\n"; } 3) in bfd.conf, i made the following changes (see those in bold red): #This is the install directory for everything but our binary $instdir="/usr/local/bin/hspherebfd"; #the directory for the rules files. This probably shouldnt be changed. $rules=$instdir . "/rules"; #the file to our whitelist. This probably shouldnt be changed. $excluded=$instdir . "/excluded.hosts"; #Notify Admin? (1 = yes, 0 = no) $notify=1; #if notify admin is yes, who do we notify? $email='someemail@someemail.com'; #subject line of the email? $email_subject="Brute Force Detection For Host: "; #block attackers? (1 = yes, 0 = no) $autoblock = 1; #how do we block attackers? This one you are on your own. Everyone runs different firewalls and OS's. #the word "attacker" will automatically be replaced. #$block_cmd="/sbin/ipfw table 1 add attacker"; $block_cmd="/sbin/ipfw add rulenum deny tcp from attacker to any"; #unblock attacker? $autounblock = 1; #how long do we leave them blocked? #eg. 1 day(s) or 30 minute(s) $timelimit = "2 days"; #how do we unblock the attacker? #$unblock_cmd="/sbin/ipfw table 1 delete attacker"; $unblock_cmd="/sbin/ipfw delete rulenum"; #what is the range of ipfw1 rule nos limits? Change to fit your range. Remember to change /tmp/.rulenum $rulenumstart = 230; $rulenummax = 290; ---------------------------------------------------------------------- Message: 1 Date: Mon, 19 Dec 2005 15:21:56 -0500 From: "Hadi Maleki" Subject: Brute Force Detection + Advanced Firewall Policy To: freebsd-security@freebsd.org Message-ID: Content-Type: text/plain; charset=iso-8859-1 Any BFD/AFP softwares available for FreeBSD 4.10? Im getting flooded with ssh and ftp attempts. ------------------------------ Message: 2 Date: Mon, 19 Dec 2005 15:21:52 -0500 From: "Hadi Maleki" Subject: Brute Force Detection + Advanced Firewall Policy To: freebsd-security@freebsd.org Message-ID: Content-Type: text/plain; charset=iso-8859-1 Any BFD/AFP softwares available for FreeBSD 4.10? Im getting flooded with ssh and ftp attempts. ------------------------------ Message: 3 Date: Mon, 19 Dec 2005 15:22:49 -0500 From: "Hadi Maleki" Subject: Brute Force Detection + Advanced Firewall Policy To: freebsd-security@freebsd.org Message-ID: Content-Type: text/plain; charset=iso-8859-1 Any BFD/AFP softwares available for FreeBSD 4.10? Im getting flooded with ssh and ftp attempts. ------------------------------ Message: 4 Date: Mon, 19 Dec 2005 13:03:29 -0800 (PST) From: Arne Woerner Subject: Re: Brute Force Detection + Advanced Firewall Policy To: freebsd-security@freebsd.org Message-ID: <20051219210329.90107.qmail@web30311.mail.mud.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 --- Hadi Maleki wrote: > Any BFD/AFP softwares available for FreeBSD 4.10? > > Im getting flooded with ssh and ftp attempts. > What about a "white list"? I mean, three rules that blocks all incoming traffic to those ports (21, 22, the others), and then a rule for each "good IP" that allows the connection... Some time ago I have read in this list something about attempts to guess a SSH username and password... Maybe u can find that thread in the archive via the Websearch interface? Maybe it helps to disallow password athentication, because DSA public key authentication is much more fun for users and admins... :-)) -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------ Message: 5 Date: Mon, 19 Dec 2005 22:28:13 +0100 From: Marian Hettwer Subject: Re: Brute Force Detection + Advanced Firewall Policy To: Hadi Maleki Cc: freebsd-security@freebsd.org Message-ID: <43A725ED.5090502@kernel32.de> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Hi there, Hadi Maleki wrote: > Any BFD/AFP softwares available for FreeBSD 4.10? > If you would update to a recent FreeBSD Release, you could probably use some nice pf(4) things... > Im getting flooded with ssh and ftp attempts. > I recently stumbled over quite a nice pf.conf (see man pfctl for details), which blacklists for instance ssh connections if the occur to often in a certain amount of time. For Example: # sshspammer table table persist block log quick from # sshspammer # more than 6 ssh attempts in 15 seconds will be blocked ;) pass in quick on $ext_if proto tcp to ($ext_if) port ssh $tcp_flags (max-src-conn 10, max-src-conn-rate 6/15, overload flush global) HTH, Marian ------------------------------ Message: 6 Date: Mon, 19 Dec 2005 13:28:58 -0800 From: Julian Elischer Subject: Re: Brute Force Detection + Advanced Firewall Policy To: Arne Woerner Cc: freebsd-security@freebsd.org Message-ID: <43A7261A.3090401@elischer.org> Content-Type: text/plain; charset=us-ascii; format=flowed Arne Woerner wrote: >--- Hadi Maleki wrote: > > >>Any BFD/AFP softwares available for FreeBSD 4.10? >> >>Im getting flooded with ssh and ftp attempts. >> >> >> >What about a "white list"? I mean, three rules that blocks all >incoming traffic to those ports (21, 22, the others), and then a >rule for each "good IP" that allows the connection... > >Some time ago I have read in this list something about attempts to >guess a SSH username and password... Maybe u can find that thread >in the archive via the Websearch interface? > >Maybe it helps to disallow password athentication, because DSA >public key authentication is much more fun for users and admins... > > possibly look into port-knocking.. >:-)) > >-Arne > > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > ------------------------------ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" End of freebsd-security Digest, Vol 141, Issue 1 ************************************************ From owner-freebsd-security@FreeBSD.ORG Tue Dec 20 17:38:39 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC97A16A41F for ; Tue, 20 Dec 2005 17:38:39 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from mail.rulez.sk (DaEmoN.RuLeZ.sK [84.16.32.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id A734843D6D for ; Tue, 20 Dec 2005 17:38:25 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from localhost (localhost [127.0.0.1]) by mail.rulez.sk (Postfix) with ESMTP id E96FE1CC64; Tue, 20 Dec 2005 18:38:21 +0100 (CET) Received: from localhost (danger.mcrn.sk [84.16.37.254]) by mail.rulez.sk (Postfix) with ESMTP id BFB3E1CC62; Tue, 20 Dec 2005 18:38:18 +0100 (CET) Date: Tue, 20 Dec 2005 18:38:12 +0100 From: Daniel Gerzo X-Mailer: The Bat! (v3.62.14) Professional X-Priority: 3 (Normal) Message-ID: <139782476.20051220183812@rulez.sk> To: "Hadi Maleki" In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mail.rulez.sk X-Spam-Status: No, score=-4.008 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.8, AWL=0.391, BAYES_00=-2.599] X-Spam-Score: -4.008 X-Spam-Level: X-Mailman-Approved-At: Tue, 20 Dec 2005 17:40:19 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Brute Force Detection + Advanced Firewall Policy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Gerzo List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2005 17:38:39 -0000 Hello Hadi, Monday, December 19, 2005, 9:21:56 PM, you wrote: > Any BFD/AFP softwares available for FreeBSD 4.10? > Im getting flooded with ssh and ftp attempts. maybe security/bruteforceblocker would be enough for you? -- Best regards, Daniel mailto:danger@rulez.sk From owner-freebsd-security@FreeBSD.ORG Thu Dec 22 09:27:51 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD25B16A424 for ; Thu, 22 Dec 2005 09:27:51 +0000 (GMT) (envelope-from marko.lerota@optima-telekom.hr) Received: from smtp.optima-telekom.hr (surf212.optima-telekom.hr [85.114.34.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id F275043D76 for ; Thu, 22 Dec 2005 09:27:42 +0000 (GMT) (envelope-from marko.lerota@optima-telekom.hr) Received: (qmail 20599 invoked by uid 1001); 22 Dec 2005 09:24:45 -0000 To: freebsd-security@freebsd.org Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWgnbRLVpRNVY9jMRPh s21jSlEyNVX45Mv4zI+sbUclFAtMVpT8V0lFAAACZ0lEQVR4nG3Tv2vbQBQHcFMogWyeNeVK BLXGl5j6xnABOaNTuXFGmWpwtw519yj4soW6AatT4GKD3+aDZrl/rt/Tr9qlGiz7Pn7v3bsf HVc/NrIiSfElqH53GgijcCqzk/+AmBF5cN0DsFlIRGMh/oHuqxkTM6VlzB4EoZEs2aSZOASb EQJYZpweQshE697GTDndBXtgp9LIT9+OpDGHEfb9knk+nx+jfN1JCVZMCl6XwFm0a2EXztZD 3s4fj47ZbKI2VeBmJImeEfGLJ+M9sDPilX7IB5rN6sdfcGhuoHU+LC4nxfnI7YOJtdb95Gb+ fbgJ2uJ2ZgaA++f5ZzBqNCCYfMTd5q0BfBVNqm7I8gUjQ+YtXotRW6PH9AEj+dKs/KuNQAl5 o/NY+QkonW8aQAl0oXMYPvRiXIM4pRJifbXytnhTA8alBx/jefG2ar3DBlt34/PXz9M+nMVN iNaPUdCApJc2ItejOmLGoK1qQLV9pJmXBnL10DYoBA5aHNfj8ZNwZa5O4CzgTJeilKJmrQJs IHIt1/7/Sg2p3iq/Hz0/5W05rq4M9aN2B5FLohUP4ylVyfxhEIjAs8J4PhIJ9U+CEroogib5 BXAf7bB4vkfAzgPFt1tM9sJZAOH+lCexhwswuNtim4QTZdokqo4o89LkH7V6iFxICeqfp+Wh fmUuGPunLj2Meti6Cn4DjJ/UReROqR+aqawAi/JkfgKE64rrfkhjU8MtT8ivR4S5n6Yo08A7 HvgAlHDWRSGlNSDxwK9HtXy4FS2I60EdUIJM+Ut9OZNJG4CpbEQW1VBQoQoPuBw2EVa4P0u0 TgzQF+VoAAAAAElFTkSuQmCC Organization: Unix Users - Fanatics Dept. X-Request-PGP: X-GNUPG-Fingerprint: CF5E 6862 2777 A471 5D2E 0015 8DA6 D56D 17E5 2A51 From: Marko Lerota Date: Thu, 22 Dec 2005 10:24:45 +0100 Message-ID: <8664ph32n6.fsf@redcloud.local> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.17 (Jumbo Shrimp, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: jails and sysctl in freebsd 6.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2005 09:27:52 -0000 Bug or something, look at this [~]# cat /etc/sysctl.conf security.jail.allow_raw_sockets=1 security.jail.set_hostname_allowed=0 [~]# sysctl -a | grep jail security.jail.set_hostname_allowed: 1 <<<<< here security.jail.socket_unixiproute_only: 1 security.jail.sysvipc_allowed: 0 security.jail.enforce_statfs: 2 security.jail.allow_raw_sockets: 1 security.jail.chflags_allowed: 0 security.jail.jailed: 0 The variable points to 1. You can't change the hostname in jail (that's what I want). But booting OS hangs a little if you put 'security.jail.set_hostname_allowed=0' to /etc/sysctl.conf. If I put 'jail_set_hostname_allow="NO"' to /etc/rc.conf and remove it from /etc/sysctl.conf it boots OK without delay and sysctl outputs the correct value. [~]# uname -a FreeBSD mother-mail.optima-telekom.hr 6.0-STABLE FreeBSD 6.0-STABLE #0: Wed Dec 21 -- One cannot sell the earth upon which the people walk Tacunka Witco From owner-freebsd-security@FreeBSD.ORG Sat Dec 24 19:27:28 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5987216A41F for ; Sat, 24 Dec 2005 19:27:28 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F39B43D75 for ; Sat, 24 Dec 2005 19:27:23 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp4-g19.free.fr (Postfix) with ESMTP id B103145758; Sat, 24 Dec 2005 20:27:22 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 10A909B6E7; Sat, 24 Dec 2005 19:26:54 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id DD7824086; Sat, 24 Dec 2005 20:26:53 +0100 (CET) Date: Sat, 24 Dec 2005 20:26:53 +0100 From: Jeremie Le Hen To: OxY Message-ID: <20051224192653.GF3570@obiwan.tataz.chchile.org> References: <20051211123346.GK98018@bombur.guldan.demon.nl> <20051216191828.GA56737@garage.freebsd.pl> <005601c60276$caa18fa0$0201a8c0@oxy> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <005601c60276$caa18fa0$0201a8c0@oxy> User-Agent: Mutt/1.5.11 Cc: freebsd-security Subject: Re: [fbsd] Re: geli or gbde encryption of slices X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2005 19:27:28 -0000 Hi OxY, > i have a question about chosing geli or gbde.. > which one is faster (read/write)? > i use gbde, and it's quite slow.. > may i create the .bde partition again with larger sector size? > which size is optimal? If you decide to do your own tests, please, let us know. Thank you. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >