From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 12:45:32 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D024F16A403 for ; Wed, 21 Mar 2007 12:45:32 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.freebsd.org (Postfix) with ESMTP id 8624013C48C for ; Wed, 21 Mar 2007 12:45:32 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.13.3/8.13.3) with ESMTP id l2LCUXUC035516 for ; Wed, 21 Mar 2007 05:30:33 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.13.3/8.13.1/Submit) id l2LCUXtB035515 for freebsd-security@freebsd.org; Wed, 21 Mar 2007 05:30:33 -0700 (PDT) (envelope-from david) Date: Wed, 21 Mar 2007 05:30:33 -0700 From: David Wolfskill To: freebsd-security@freebsd.org Message-ID: <20070321123033.GD31533@bunrab.catwhisker.org> Mail-Followup-To: David Wolfskill , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OROCMA9jn6tkzFBc" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 12:45:32 -0000 --OROCMA9jn6tkzFBc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This note is essentially a request for a reality check. I use IPFW & natd on the box that provides the interface between my home networks and the Internet; the connection is (static) residential DSL. I configured IPFW to accept & log all SSH "setup" requests, and use natd to forward such requests to an internal machine that only accepts public key authentication; that machine's sshd logs SSH-specific information. Usually, the SSH setup requests logged by IPFW correspond with sshd activity (whether authorized or not); I expect this. What has come as rather a surprise, though, is that every once in a while, I will see IPFW logging setup requests that have no corresponding sshd activity logged at all. This morning (in reviewing the logs from yesterday), I found a set of 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 (part of a VAULT-NETWORKS netblock). The sshd on the internal machine never logged anything corresponding to any of this. I cannot imagine any valid reason for SSH traffic to my home to be originating from that netblock. I perceive nothing comforting in the lack of sshd logging the apparent activity. Lacking rationale to do otherwise, I interpret this as an attack: I've modified my IPFW rules to include a reference to a table rather early on; IP addresses found in this table are not permitted to establish SSH sessions to my networks, and the attempted activity is logged. (I also use the same technique on my laptop and my work desktop, and -- manually, so far -- keep the tables in question synchronized.) I have accordingly added the VAULT-NETWORKS netblocks to this table, pending either information or reason to remove those specifications. Granted, there appears to be no access granted, but the lack of sshd logging makes me nervous. Have other folks noticed this type of behavior? Have I gone off the deep end of paranoia? (Yes, I expect that some of "them" really are out to get me. What can I say; it's an occupational hazard.) Thanks! Peace, david --=20 David H. Wolfskill david@catwhisker.org Believe SORBS at your own risk: 63.193.123.122 has been static since Aug 19= 99. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --OROCMA9jn6tkzFBc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkYBJWgACgkQmprOCmdXAD0yzACeP2VqJM2X9JumVvjXaXX8MZKN RagAnixt3DpxWLMGcenBPB4GqK0Nh2wM =eMTe -----END PGP SIGNATURE----- --OROCMA9jn6tkzFBc-- From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 13:18:26 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D7CF116A400 for ; Wed, 21 Mar 2007 13:18:26 +0000 (UTC) (envelope-from tadas@bofh.lt) Received: from bagira.bofh.lt (bagira.bofh.lt [62.75.161.130]) by mx1.freebsd.org (Postfix) with ESMTP id A1E1E13C4BE for ; Wed, 21 Mar 2007 13:18:26 +0000 (UTC) (envelope-from tadas@bofh.lt) Message-ID: <46012D37.5060603@bofh.lt> Date: Wed, 21 Mar 2007 15:03:51 +0200 From: Tadas Miniotas User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20070321123033.GD31533@bunrab.catwhisker.org> In-Reply-To: <20070321123033.GD31533@bunrab.catwhisker.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 13:18:26 -0000 David Wolfskill wrote: > <...> > This morning (in reviewing the logs from yesterday), I found a set of > 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 > (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 > (part of a VAULT-NETWORKS netblock). The sshd on the internal machine > never logged anything corresponding to any of this. Might be a SYN scan. I believe SSH will not log anything if a three-way handshake has not been completed. Of course, it would help if you provided ipfw logs to determine exactly what kind of packets it was. -- Tadas Miniotas From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 13:32:26 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A494316A412 for ; Wed, 21 Mar 2007 13:32:26 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.freebsd.org (Postfix) with ESMTP id 57A7A13C48C for ; Wed, 21 Mar 2007 13:32:25 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.13.3/8.13.3) with ESMTP id l2LDWM3E035802; Wed, 21 Mar 2007 06:32:22 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.13.3/8.13.1/Submit) id l2LDWLFk035801; Wed, 21 Mar 2007 06:32:22 -0700 (PDT) (envelope-from david) Date: Wed, 21 Mar 2007 06:32:21 -0700 From: David Wolfskill To: Tadas Miniotas Message-ID: <20070321133221.GG31533@bunrab.catwhisker.org> Mail-Followup-To: David Wolfskill , Tadas Miniotas , freebsd-security@freebsd.org References: <20070321123033.GD31533@bunrab.catwhisker.org> <46012D37.5060603@bofh.lt> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="hcut4fGOf7Kh6EdG" Content-Disposition: inline In-Reply-To: <46012D37.5060603@bofh.lt> User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@freebsd.org Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 13:32:26 -0000 --hcut4fGOf7Kh6EdG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 21, 2007 at 03:03:51PM +0200, Tadas Miniotas wrote: > David Wolfskill wrote: > > <...> > > This morning (in reviewing the logs from yesterday), I found a set of > > 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 > > (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 > > (part of a VAULT-NETWORKS netblock). The sshd on the internal machine > > never logged anything corresponding to any of this. >=20 > Might be a SYN scan. I believe SSH will not log anything if a three-way > handshake has not been completed. Fair enough. The thrust of the query was whether or not a sequence of 580 of these within a roughly 10-minute interval from a netblock with which I have no known relationship might plausibly be benign. > Of course, it would help if you provided ipfw logs to determine exactly > what kind of packets it was. Well, if you think it would actually help, here's a sample: Mar 20 09:12:29 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:26102 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:07 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33000 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:08 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33103 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:09 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33191 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:10 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33286 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:12 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33387 1= 72.16.8.11:22 out via vr0 =2E.. Mar 20 19:40:06 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:58784 1= 72.16.8.11:22 out via vr0 Peace, david --=20 David H. Wolfskill david@catwhisker.org Believe SORBS at your own risk: 63.193.123.122 has been static since Aug 19= 99. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --hcut4fGOf7Kh6EdG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkYBM+UACgkQmprOCmdXAD3pkwCfX8I2bYt6gM7FiTuKtCbMbKtR xhkAnjK3KVHoVMG0XIo3gN7BCyfWDfqJ =taAm -----END PGP SIGNATURE----- --hcut4fGOf7Kh6EdG-- From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 13:37:53 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 278C516A479 for ; Wed, 21 Mar 2007 13:37:53 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id EDD0A13C4C1 for ; Wed, 21 Mar 2007 13:37:52 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from vanquish.pgh.priv.collaborativefusion.com (vanquish.pgh.priv.collaborativefusion.com [192.168.2.61]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Wed, 21 Mar 2007 09:27:24 -0400 id 00056430.460132BC.00013978 Date: Wed, 21 Mar 2007 09:27:24 -0400 From: Bill Moran To: David Wolfskill Message-Id: <20070321092724.fd6f1541.wmoran@collaborativefusion.com> In-Reply-To: <20070321123033.GD31533@bunrab.catwhisker.org> References: <20070321123033.GD31533@bunrab.catwhisker.org> Organization: Collaborative Fusion X-Mailer: Sylpheed 2.3.1 (GTK+ 2.10.9; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 13:37:53 -0000 In response to David Wolfskill : > This note is essentially a request for a reality check. > > I use IPFW & natd on the box that provides the interface between my home > networks and the Internet; the connection is (static) residential DSL. > > I configured IPFW to accept & log all SSH "setup" requests, and use natd > to forward such requests to an internal machine that only accepts public > key authentication; that machine's sshd logs SSH-specific information. > > Usually, the SSH setup requests logged by IPFW correspond with sshd > activity (whether authorized or not); I expect this. > > What has come as rather a surprise, though, is that every once in a > while, I will see IPFW logging setup requests that have no corresponding > sshd activity logged at all. I'm only guessing, but I suspect it's port scanning. If the scanner sends the initial SYN, waits for the SYN/ACK, but never sends the final SYN/ACK, the attacker will know that port 22 _is_ open, but sshd will never get a connection request to log anything about. > This morning (in reviewing the logs from yesterday), I found a set of > 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 > (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 > (part of a VAULT-NETWORKS netblock). The sshd on the internal machine > never logged anything corresponding to any of this. > > I cannot imagine any valid reason for SSH traffic to my home to be > originating from that netblock. I perceive nothing comforting in the > lack of sshd logging the apparent activity. > > Lacking rationale to do otherwise, I interpret this as an attack: > I've modified my IPFW rules to include a reference to a table rather > early on; IP addresses found in this table are not permitted to > establish SSH sessions to my networks, and the attempted activity > is logged. (I also use the same technique on my laptop and my work > desktop, and -- manually, so far -- keep the tables in question > synchronized.) > > I have accordingly added the VAULT-NETWORKS netblocks to this table, > pending either information or reason to remove those specifications. > > Granted, there appears to be no access granted, but the lack of sshd > logging makes me nervous. > > Have other folks noticed this type of behavior? Have I gone off the > deep end of paranoia? (Yes, I expect that some of "them" really are out > to get me. What can I say; it's an occupational hazard.) Not in my opinion. I run a little script I wrote that automatically adds failed SSH attempts to a table that blocks them from _everything_ in my pf rules. I figure if they're fishing for weak ssh passwords, their next likely attack route might be HTTP or SMTP, so why wait. This is on my personal server. Here where I work, we're even more strict. Paranoid? Maybe. But I don't have the free cycles to constantly chase these attacks around trying to figure out how dangerous they really are. There are _lot_ of crooks out there trying to build botnets, I don't want to be one of them. Especially not for a personal server that I maintain in my free time as a hobby. I don't think you're paranoid. -- Bill Moran Collaborative Fusion Inc. From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 14:13:00 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2F3A316A46C for ; Wed, 21 Mar 2007 14:13:00 +0000 (UTC) (envelope-from freebsd-security@jonze.com) Received: from dogstar.jonze.com (87-194-33-21.bethere.co.uk [87.194.33.21]) by mx1.freebsd.org (Postfix) with ESMTP id B946413C4B8 for ; Wed, 21 Mar 2007 14:12:59 +0000 (UTC) (envelope-from freebsd-security@jonze.com) Received: from dogstar.jonze.com (localhost [127.0.0.1]) by dogstar.jonze.com (8.13.6/8.13.6) with ESMTP id l2LDn6aO027263 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 21 Mar 2007 13:49:06 GMT (envelope-from freebsd-security@jonze.com) Received: (from richard@localhost) by dogstar.jonze.com (8.13.6/8.13.6/Submit) id l2LDn5vP027262; Wed, 21 Mar 2007 13:49:05 GMT (envelope-from freebsd-security@jonze.com) Date: Wed, 21 Mar 2007 13:49:05 +0000 From: Richard Jones To: Bill Moran Message-ID: <20070321134905.GA27188@dogstar.jonze.com> References: <20070321123033.GD31533@bunrab.catwhisker.org> <20070321092724.fd6f1541.wmoran@collaborativefusion.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070321092724.fd6f1541.wmoran@collaborativefusion.com> User-Agent: Mutt/1.5.11 X-Virus-Scanned: ClamAV version 0.90.1, clamav-milter version 0.90.1 on dogstar.jonze.com X-Virus-Status: Clean Cc: freebsd-security@freebsd.org Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 14:13:00 -0000 On Wed, Mar 21, 2007 at 09:27:24AM -0400, Bill Moran wrote: > Not in my opinion. I run a little script I wrote that automatically adds > failed SSH attempts to a table that blocks them from _everything_ in my > pf rules. I figure if they're fishing for weak ssh passwords, their next > likely attack route might be HTTP or SMTP, so why wait. This is on my > personal server. Here where I work, we're even more strict. I had a similar set up, but it was quite clunky. Following advise from this list and others I now firewall port 22 to a few locations (e.g. work), and also run ssh on a high port. This doesn't necessarily make things any safer, but has reduced my log noise drastically. Regards, Richard Jones -- http://www.jonze.com From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 14:27:58 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AE37B16A40D for ; Wed, 21 Mar 2007 14:27:58 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp2.ms.mff.cuni.cz (sns.ms.mff.cuni.cz [195.113.20.77]) by mx1.freebsd.org (Postfix) with ESMTP id 3412113C4BF for ; Wed, 21 Mar 2007 14:27:57 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from [195.113.19.244] (dan.ms.mff.cuni.cz [195.113.19.244]) by smtp2.ms.mff.cuni.cz (8.13.8/8.13.8) with ESMTP id l2LDil4K083025 for ; Wed, 21 Mar 2007 14:44:49 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <460136CF.8030700@obluda.cz> Date: Wed, 21 Mar 2007 14:44:47 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.0.9) Gecko/20070105 SeaMonkey/1.0.7 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20070321123033.GD31533@bunrab.catwhisker.org> <46012D37.5060603@bofh.lt> <20070321133221.GG31533@bunrab.catwhisker.org> In-Reply-To: <20070321133221.GG31533@bunrab.catwhisker.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 14:27:58 -0000 David Wolfskill wrote: >> Might be a SYN scan. I believe SSH will not log anything if a three-way >> handshake has not been completed. The application layer can accept only "completed" connections, so handshaking must be successfully completed first before the application can accept the incoming connection. It's not SSH specific behavior. >> Of course, it would help if you provided ipfw logs to determine exactly >> what kind of packets it was. > Mar 20 09:12:29 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:26102 172.16.8.11:22 out via vr0 > Mar 20 19:30:07 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33000 172.16.8.11:22 out via vr0 It may not help. We can see packet in one direction but not in opposite. Unfortunately, we can't decide it's because there are no reply packets or the response packets are not logged by your configuration. Dan From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 14:30:08 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4668916A400 for ; Wed, 21 Mar 2007 14:30:08 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id E768F13C4D5 for ; Wed, 21 Mar 2007 14:30:07 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from vanquish.pgh.priv.collaborativefusion.com (vanquish.pgh.priv.collaborativefusion.com [192.168.2.61]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Wed, 21 Mar 2007 10:30:07 -0400 id 0005646C.4601416F.00014443 Date: Wed, 21 Mar 2007 10:30:06 -0400 From: Bill Moran To: "W. D." Message-Id: <20070321103006.c57729cc.wmoran@collaborativefusion.com> References: <20070321123033.GD31533@bunrab.catwhisker.org> <20070321092724.fd6f1541.wmoran@collaborativefusion.com> Organization: Collaborative Fusion X-Mailer: Sylpheed 2.3.1 (GTK+ 2.10.9; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 14:30:08 -0000 In response to "W. D." : > At 08:27 3/21/2007, Bill Moran, wrote: > I run a little script I wrote that automatically adds > >failed SSH attempts to a table that blocks them from _everything_ in my > >pf rules. > > Do you care to share that script? It's pretty basic, but I will share it. I've been waiting until I'd been using it for a while to make sure there weren't any problems. I'll throw together an explanation and download on a web page some time this weekend. -- Bill Moran Collaborative Fusion Inc. From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 14:44:56 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4B76B16A409 for ; Wed, 21 Mar 2007 14:44:56 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: from usw2.natel.net (2b.bz [209.152.117.190]) by mx1.freebsd.org (Postfix) with SMTP id E3AE413C48C for ; Wed, 21 Mar 2007 14:44:55 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: (qmail 94768 invoked from network); 21 Mar 2007 14:18:12 -0000 Received: from batv-01-192.dsl.netins.net (HELO Sabrina.US-Webmasters.com) (207.199.193.192) by us-webmasters.com with SMTP; 21 Mar 2007 14:18:12 -0000 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 21 Mar 2007 09:17:33 -0500 To: Bill Moran ,freebsd-security@freebsd.org From: "W. D." In-Reply-To: <20070321092724.fd6f1541.wmoran@collaborativefusion.com> References: <20070321123033.GD31533@bunrab.catwhisker.org> <20070321092724.fd6f1541.wmoran@collaborativefusion.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <20070321144455.E3AE413C48C@mx1.freebsd.org> Cc: Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 14:44:56 -0000 At 08:27 3/21/2007, Bill Moran, wrote: I run a little script I wrote that automatically adds >failed SSH attempts to a table that blocks them from _everything_ in my >pf rules.=20 Do you care to share that script? Start Here to Find It Fast!=99 ->= http://www.US-Webmasters.com/best-start-page/ $8.77 Domain Names -> http://domains.us-webmasters.com/ From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 14:50:49 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1CF4A16A409 for ; Wed, 21 Mar 2007 14:50:49 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id CDD0313C4CE for ; Wed, 21 Mar 2007 14:50:48 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HU29G-0004P6-87; Wed, 21 Mar 2007 17:50:46 +0300 Date: Wed, 21 Mar 2007 17:50:42 +0300 From: Eygene Ryabinkin To: Bill Moran Message-ID: <20070321145041.GG14837@codelabs.ru> References: <20070321123033.GD31533@bunrab.catwhisker.org> <20070321092724.fd6f1541.wmoran@collaborativefusion.com> <20070321103006.c57729cc.wmoran@collaborativefusion.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20070321103006.c57729cc.wmoran@collaborativefusion.com> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.4 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_20 Cc: freebsd-security@freebsd.org, "W. D." Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 14:50:49 -0000 Wed, Mar 21, 2007 at 10:30:06AM -0400, Bill Moran wrote: > In response to "W. D." : > > > At 08:27 3/21/2007, Bill Moran, wrote: > > I run a little script I wrote that automatically adds > > >failed SSH attempts to a table that blocks them from _everything_ in my > > >pf rules. > > > > Do you care to share that script? > > It's pretty basic, but I will share it. I've been waiting until I'd been > using it for a while to make sure there weren't any problems. You can use the following rule that will put very fast SSH connectors to the pf table ssh_scans: ----- pass in quick on $iface proto tcp from any to $ip port 22 flags S/AUSPF \ keep state (max-src-conn 4, max-src-conn-rate 6/1, overload flush) ----- and you can do whatever you like with the ssh_scans table in your pf ruleset. It is just another option to throttle SSH scans with the pf, though you should whitelist the good known hosts that are doing massive numbers of SSH connections to your host. And you can use the expiretable port to expire the entries in the ssh_scans. Not a silver bullet, but proved to be useful at some configurations. -- Eygene From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 18:45:56 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D889B16A418 for ; Wed, 21 Mar 2007 18:45:56 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outJ.internet-mail-service.net (outJ.internet-mail-service.net [216.240.47.233]) by mx1.freebsd.org (Postfix) with ESMTP id C1A3513C517 for ; Wed, 21 Mar 2007 18:45:56 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Wed, 21 Mar 2007 11:01:31 -0700 Received: from [10.251.22.38] (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id F26F6125B34; Wed, 21 Mar 2007 11:29:32 -0700 (PDT) Message-ID: <46017986.4020607@elischer.org> Date: Wed, 21 Mar 2007 11:29:26 -0700 From: Julian Elischer User-Agent: Thunderbird 1.5.0.10 (Macintosh/20070221) MIME-Version: 1.0 To: David Wolfskill , freebsd-security@freebsd.org References: <20070321123033.GD31533@bunrab.catwhisker.org> In-Reply-To: <20070321123033.GD31533@bunrab.catwhisker.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 21 Mar 2007 23:22:12 +0000 Cc: Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 18:45:56 -0000 David Wolfskill wrote: > This note is essentially a request for a reality check. > > I use IPFW & natd on the box that provides the interface between my home > networks and the Internet; the connection is (static) residential DSL. > > I configured IPFW to accept & log all SSH "setup" requests, and use natd > to forward such requests to an internal machine that only accepts public > key authentication; that machine's sshd logs SSH-specific information. > > Usually, the SSH setup requests logged by IPFW correspond with sshd > activity (whether authorized or not); I expect this. > > What has come as rather a surprise, though, is that every once in a > while, I will see IPFW logging setup requests that have no corresponding > sshd activity logged at all. > > This morning (in reviewing the logs from yesterday), I found a set of > 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 > (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 > (part of a VAULT-NETWORKS netblock). The sshd on the internal machine > never logged anything corresponding to any of this. > > I cannot imagine any valid reason for SSH traffic to my home to be > originating from that netblock. I perceive nothing comforting in the > lack of sshd logging the apparent activity. > > Lacking rationale to do otherwise, I interpret this as an attack: > I've modified my IPFW rules to include a reference to a table rather > early on; IP addresses found in this table are not permitted to > establish SSH sessions to my networks, and the attempted activity > is logged. (I also use the same technique on my laptop and my work > desktop, and -- manually, so far -- keep the tables in question > synchronized.) > > I have accordingly added the VAULT-NETWORKS netblocks to this table, > pending either information or reason to remove those specifications. > > Granted, there appears to be no access granted, but the lack of sshd > logging makes me nervous. Access may not need to be granted if they think that that version of sshd can be made to 'break' (via a printf bug or stack overflow for example) before it gets as far as that. they probably haven't succeeded as they were still trying, but it's still probably worth looking at what they were trying to do. (malformed fields or something) > > Have other folks noticed this type of behavior? Have I gone off the > deep end of paranoia? (Yes, I expect that some of "them" really are out > to get me. What can I say; it's an occupational hazard.) > > Thanks! > > Peace, > david From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 23:22:58 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ED94F16A4E8 for ; Wed, 21 Mar 2007 23:22:58 +0000 (UTC) (envelope-from carl@xena.IPAustralia.gov.au) Received: from twonetom19.sge.net (twonetom19.sge.net [152.91.2.19]) by mx1.freebsd.org (Postfix) with SMTP id 6E41B13C4CB for ; Wed, 21 Mar 2007 23:22:48 +0000 (UTC) (envelope-from carl@xena.IPAustralia.gov.au) Received: from twonetvs15.sge.net (twonetvs-om [152.91.2.17]) by twonetom19.sge.net (Postfix) with ESMTP id 23386ADB7 for ; Thu, 22 Mar 2007 09:57:27 +1100 (EST) Received: from twonetvs15.sge.net (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 019C27C143 for ; Thu, 22 Mar 2007 09:57:27 +1100 (EST) Received: from guinness.lyn.gwy (unknown [152.91.9.242]) by twonetvs15.sge.net (Postfix) with ESMTP id C4D217C1CE for ; Thu, 22 Mar 2007 09:57:26 +1100 (EST) Received: from vmail.aipo.gov.au (mail-in.ipa.lyn.gwy [192.168.254.253]) by guinness.lyn.gwy with ESMTP id l2LMvLXk016139 for ; Thu, 22 Mar 2007 09:57:21 +1100 (EST) Received: from xena.aipo.gov.au (xena.aipo.gov.au [10.0.100.52]) by vmail.aipo.gov.au (8.13.3/8.13.3) with ESMTP id l2LMvL1L013498 for ; Thu, 22 Mar 2007 09:57:21 +1100 (EST) (envelope-from carl@xena.IPAustralia.gov.au) Received: from [10.0.4.21] ([10.0.4.21]) by xena.aipo.gov.au (8.13.1/8.12.9) with ESMTP id l2LMvLKW048370 for ; Thu, 22 Mar 2007 09:57:21 +1100 (EST) (envelope-from carl@xena.ipaustralia.gov.au) Mime-Version: 1.0 (Apple Message framework v752.3) In-Reply-To: <20070321145041.GG14837@codelabs.ru> References: <20070321123033.GD31533@bunrab.catwhisker.org> <20070321092724.fd6f1541.wmoran@collaborativefusion.com> <20070321103006.c57729cc.wmoran@collaborativefusion.com> <20070321145041.GG14837@codelabs.ru> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <82953429-B11F-474B-9CB3-E055B07E9767@xena.ipaustralia.gov.au> Content-Transfer-Encoding: 7bit From: Carl Makin Date: Thu, 22 Mar 2007 09:57:22 +1100 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.752.3) X-Scanned-By: MIMEDefang 2.51 on 10.0.100.191 Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 23:22:59 -0000 On 22/03/2007, at 1:50 AM, Eygene Ryabinkin wrote: > You can use the following rule that will put very fast SSH connectors > to the pf table ssh_scans: > ----- > pass in quick on $iface proto tcp from any to $ip port 22 flags S/ > AUSPF \ > keep state (max-src-conn 4, max-src-conn-rate 6/1, overload > flush) > ----- Interesting, I really must get off my ass and look closely at pf. I use the Simple Event Correlater (sec, in ports) to parse the auth logfile and add ipfw rules blocking the originating site once it sees 3 authentication failures of any kind from a single address. One of the sec rules looks like this; ----------------------- type=SingleWithThreshold ptype=RegExp pattern=Failed password for (\S+) from (\S+) port (\S+) ssh2 desc=SSH attack from $2 action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Failed password for $1 from $2' /usr/bin/ma il -s 'SSH Attack from $2' me@myaddress.com window=60 thresh=3 ----------------------- ipfwadd.sh is just /sbin/ipfw add 25 deny log tcp from $1 to any in via tun0 ----------------------- I also have a rule that emails me whenever someone successfully logs into the system. It's not foolproof, but it helps. Carl. From owner-freebsd-security@FreeBSD.ORG Thu Mar 22 13:32:19 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C3BC216A404 for ; Thu, 22 Mar 2007 13:32:19 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 84F0613C44B for ; Thu, 22 Mar 2007 13:32:17 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7da7.q.ppp-pool.de [89.53.125.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 6F2AE12883F for ; Thu, 22 Mar 2007 14:04:58 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 619562E812; Thu, 22 Mar 2007 14:04:45 +0100 (CET) Message-ID: <46027EEE.1080105@vwsoft.com> Date: Thu, 22 Mar 2007 14:04:46 +0100 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Eygene Ryabinkin References: <20070321123033.GD31533@bunrab.catwhisker.org> <20070321092724.fd6f1541.wmoran@collaborativefusion.com> <20070321103006.c57729cc.wmoran@collaborativefusion.com> <20070321145041.GG14837@codelabs.ru> In-Reply-To: <20070321145041.GG14837@codelabs.ru> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-security@freebsd.org, "W. D." , Bill Moran Subject: Re: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2007 13:32:19 -0000 Eugene, On 12/23/-58 20:59, Eygene Ryabinkin wrote: ... >>> Do you care to share that script? >> It's pretty basic, but I will share it. I've been waiting until I'd been >> using it for a while to make sure there weren't any problems. > > You can use the following rule that will put very fast SSH connectors > to the pf table ssh_scans: > ----- > pass in quick on $iface proto tcp from any to $ip port 22 flags S/AUSPF \ > keep state (max-src-conn 4, max-src-conn-rate 6/1, overload flush) > ----- If you replace the "flush" keyword by "flush global" would give better results as it immediately will kill all additional connections with that host (IP address). Without the "global" keyword just the ssh connection causing the rule overload is being killed. Also a max-src-conn-rate of 6/1 (6 connections in 1 second) is IMO a bit too friendly to those brute force script kiddies but YMMV. While doing nearly the same as you did in your pf rules, I also let a cron job run every 10 minutes and scan the auth log for login errors. If a threshold value is being reached, the IP address gets inserted into a pf table and gets blocked (forever). This is just a second line of defense. HTH, Volker From owner-freebsd-security@FreeBSD.ORG Thu Mar 22 14:47:13 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 846CA16A405 for ; Thu, 22 Mar 2007 14:47:13 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 2C64A13C484 for ; Thu, 22 Mar 2007 14:47:12 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=TLjeGb1DN7pMGuaU2J94KfXJdOrY7Vz1sfCuK+t5AEQG2mh39PCb1x0Pwvcdwe6xxSNVghm/jvgOlwmq/1Qii3/JwjUmuwBassno2klrF0WKyHlHlSsCjd6WXVoyLOp9ya72O8JKfYnbN1MHR0H1czc2PjTFV2Pw4tcJM/aiuzk=; Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HUOZH-0006EW-M3; Thu, 22 Mar 2007 17:47:08 +0300 Date: Thu, 22 Mar 2007 17:47:02 +0300 From: Eygene Ryabinkin To: Volker Message-ID: <20070322144702.GN14837@codelabs.ru> References: <20070321123033.GD31533@bunrab.catwhisker.org> <20070321092724.fd6f1541.wmoran@collaborativefusion.com> <20070321103006.c57729cc.wmoran@collaborativefusion.com> <20070321145041.GG14837@codelabs.ru> <46027EEE.1080105@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <46027EEE.1080105@vwsoft.com> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-3.4 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-security@freebsd.org, "W. D." , Bill Moran Subject: Re: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2007 14:47:13 -0000 Good day! Thu, Mar 22, 2007 at 02:04:46PM +0100, Volker wrote: > > You can use the following rule that will put very fast SSH connectors > > to the pf table ssh_scans: > > ----- > > pass in quick on $iface proto tcp from any to $ip port 22 flags S/AUSPF \ > > keep state (max-src-conn 4, max-src-conn-rate 6/1, overload flush) > > ----- > > If you replace the "flush" keyword by "flush global" would give > better results as it immediately will kill all additional > connections with that host (IP address). Without the "global" > keyword just the ssh connection causing the rule overload is being > killed. > > Also a max-src-conn-rate of 6/1 (6 connections in 1 second) is IMO a > bit too friendly to those brute force script kiddies but YMMV. I happen to make some rapid scp's that are doing about 5 or 6 connections in a minute from the ligitimate hosts, so sometimes even the ligitimate hosts are getting blocked. And if that host has another session to the server I do not like it to be dropped, since then the session will be lost and I will not be able to drop the ligitimate host from the ssh_scans manually. Whitelisting will help, but I have no persistent list of the machines I can come from. But your mileage may vary. By the way, the 6/1 rule is very good when you're firewalling the large number of clients: massive SSH scans are often hitting the full netblock, so changing the '$ip' to '' above you will get very good throttling for the entire network you're protecting. > While doing nearly the same as you did in your pf rules, I also let > a cron job run every 10 minutes and scan the auth log for login > errors. If a threshold value is being reached, the IP address gets > inserted into a pf table and gets blocked (forever). This is just a > second line of defense. Yeah, this is also helpful. But my setup currently gives me about 4 probes from the SSH scanners and then that host gets blocked. And the blocking for a long time (ot forever) can be not so good on the busy public login servers -- machine can just be hacked, but rapidly reinstalled and patched. Again, your mileage may vary. -- Eygene From owner-freebsd-security@FreeBSD.ORG Fri Mar 23 05:18:19 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8587716A400 for ; Fri, 23 Mar 2007 05:18:19 +0000 (UTC) (envelope-from info@plot.uz) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.freebsd.org (Postfix) with ESMTP id D16DE13C4EF for ; Fri, 23 Mar 2007 05:18:18 +0000 (UTC) (envelope-from info@plot.uz) Received: by ug-out-1314.google.com with SMTP id 71so909012ugh for ; Thu, 22 Mar 2007 22:18:17 -0700 (PDT) Received: by 10.67.40.12 with SMTP id s12mr6114495ugj.1174627097535; Thu, 22 Mar 2007 22:18:17 -0700 (PDT) Received: from plot.uz ( [83.221.183.192]) by mx.google.com with ESMTP id m1sm4082506uge.2007.03.22.22.18.06; Thu, 22 Mar 2007 22:18:17 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham version=3.1.7 X-Spam-Report: Received: from localhost by plot.uz (MDaemon PRO v9.5.5) with DomainPOP id md50000000871.msg for ; Fri, 23 Mar 2007 10:16:51 +0500 Delivered-To: info@plot.uz Received: by 10.100.94.19 with SMTP id r19cs769202anb; Thu, 22 Mar 2007 07:47:13 -0700 (PDT) Received: by 10.65.121.9 with SMTP id y9mr4375770qbm.1174574833745; Thu, 22 Mar 2007 07:47:13 -0700 (PDT) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx.google.com with ESMTP id a24si8842074nfc.2007.03.22.07.47.11; Thu, 22 Mar 2007 07:47:13 -0700 (PDT) Received-SPF: pass (google.com: domain of rea-fbsd@codelabs.ru designates 144.206.177.45 as permitted sender) DomainKey-Status: good DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=TLjeGb1DN7pMGuaU2J94KfXJdOrY7Vz1sfCuK+t5AEQG2mh39PCb1x0Pwvcdwe6xxSNVghm/jvgOlwmq/1Qii3/JwjUmuwBassno2klrF0WKyHlHlSsCjd6WXVoyLOp9ya72O8JKfYnbN1MHR0H1czc2PjTFV2Pw4tcJM/aiuzk=; Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HUOZH-0006EW-M3; Thu, 22 Mar 2007 17:47:08 +0300 Date: Thu, 22 Mar 2007 17:47:02 +0300 To: Volker Message-ID: <20070322144702.GN14837@codelabs.ru> References: <20070321123033.GD31533@bunrab.catwhisker.org> <20070321092724.fd6f1541.wmoran@collaborativefusion.com> <20070321103006.c57729cc.wmoran@collaborativefusion.com> <20070321145041.GG14837@codelabs.ru> <46027EEE.1080105@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <46027EEE.1080105@vwsoft.com> X-Return-Path: rea-fbsd@codelabs.ru X-Envelope-From: rea-fbsd@codelabs.ru X-MDaemon-Deliver-To: freebsd-security@freebsd.org X-Spam-Processed: plot.uz, Fri, 23 Mar 2007 10:16:53 +0500 From: Eygene Ryabinkin X-Mailman-Approved-At: Fri, 23 Mar 2007 11:36:30 +0000 Cc: freebsd-security@freebsd.org, "W. D." , Bill Moran Subject: Re: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2007 05:18:19 -0000 Good day! Thu, Mar 22, 2007 at 02:04:46PM +0100, Volker wrote: > > You can use the following rule that will put very fast SSH connectors > > to the pf table ssh_scans: > > ----- > > pass in quick on $iface proto tcp from any to $ip port 22 flags S/AUSPF \ > > keep state (max-src-conn 4, max-src-conn-rate 6/1, overload flush) > > ----- > > If you replace the "flush" keyword by "flush global" would give > better results as it immediately will kill all additional > connections with that host (IP address). Without the "global" > keyword just the ssh connection causing the rule overload is being > killed. > > Also a max-src-conn-rate of 6/1 (6 connections in 1 second) is IMO a > bit too friendly to those brute force script kiddies but YMMV. I happen to make some rapid scp's that are doing about 5 or 6 connections in a minute from the ligitimate hosts, so sometimes even the ligitimate hosts are getting blocked. And if that host has another session to the server I do not like it to be dropped, since then the session will be lost and I will not be able to drop the ligitimate host from the ssh_scans manually. Whitelisting will help, but I have no persistent list of the machines I can come from. But your mileage may vary. By the way, the 6/1 rule is very good when you're firewalling the large number of clients: massive SSH scans are often hitting the full netblock, so changing the '$ip' to '' above you will get very good throttling for the entire network you're protecting. > While doing nearly the same as you did in your pf rules, I also let > a cron job run every 10 minutes and scan the auth log for login > errors. If a threshold value is being reached, the IP address gets > inserted into a pf table and gets blocked (forever). This is just a > second line of defense. Yeah, this is also helpful. But my setup currently gives me about 4 probes from the SSH scanners and then that host gets blocked. And the blocking for a long time (ot forever) can be not so good on the busy public login servers -- machine can just be hacked, but rapidly reinstalled and patched. Again, your mileage may vary. -- Eygene