From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 22:04:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1466816A4CE for ; Sat, 18 Sep 2004 22:04:50 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD49643D31 for ; Sat, 18 Sep 2004 22:04:49 +0000 (GMT) (envelope-from david.downey@gmail.com) Received: by mproxy.gmail.com with SMTP id 79so585787rnk for ; Sat, 18 Sep 2004 15:04:46 -0700 (PDT) Received: by 10.38.99.13 with SMTP id w13mr1134422rnb; Sat, 18 Sep 2004 15:04:45 -0700 (PDT) Received: by 10.38.82.69 with HTTP; Sat, 18 Sep 2004 15:04:45 -0700 (PDT) Message-ID: <6917b781040918150446b7dada@mail.gmail.com> Date: Sat, 18 Sep 2004 18:04:45 -0400 From: "David D.W. Downey" To: Willem Jan Withagen In-Reply-To: <414CAC56.8020601@withagen.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> <414CAC56.8020601@withagen.nl> cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "David D.W. Downey" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 22:04:50 -0000 > >On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen wrote: > It is not about all this. I know these, and I use them if appropriate. > (Come to think of it, I was one of the first externals to test Wietse > Venema's TCP-wrapper.) > > Once I have identified the nature and quality of this type of problem, > I want to deal with it in such a way that it is no longer a bother. And > in this particular case these records are clogging my login error > records. And because of that I just might miss out on the one or two > that do matter. You might want to call it noise-reduction, and I'm > looking for a as large as possible Signal/Noise ratio. > So that is why I would like to be able to throw root/ssh login attempts > directly in the garbage and kill the host where these are coming from > with a records in my firewall. > OK, was a simple suggestion. (no derogatory tone meant). I will say this much. adding each individual host that scans your machine instantly to your firewall WILL end up killing your machine due to lookups if this is in place during any large scan or direct port attacks. I do think you're being overly concerned about your log entries since this is *exactly* what the system is *supposed* to do, log the entries for further use by the admin if needed. There is no signal to noise reduction gained, since what you consider noise is what the system is *designed* to do. If you want to reduce the number of entries then reduce the # of entries it logs (aka when you enable the verbose_limit count it won't log any more than that number of attempts from a host. So set it to 2 or even 1 (i would suggest 2 so you only get what should be considered a bona fide failure) ) If you want to enable firewalling based on that information then you're going to have to write a custom script to cull the information from the logfiles or enable some ports NIDs, or 3rd party NIDS to do this for you. (Such as maybe portsentry and hostsentry for a basic choice option set) Hopefully this helps. -- David D.W. Downey