From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 22:25:53 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2270E16A4CE for ; Sat, 18 Sep 2004 22:25:53 +0000 (GMT) Received: from freebee.digiware.nl (dsl390.iae.nl [212.61.63.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54D7143D46 for ; Sat, 18 Sep 2004 22:25:52 +0000 (GMT) (envelope-from wjw@withagen.nl) Received: from [212.61.27.71] (dual [212.61.27.71]) by freebee.digiware.nl (8.12.10/8.12.10) with ESMTP id i8IMPoEg067167; Sun, 19 Sep 2004 00:25:51 +0200 (CEST) (envelope-from wjw@withagen.nl) Message-ID: <414CB5EF.7080901@withagen.nl> Date: Sun, 19 Sep 2004 00:25:51 +0200 From: Willem Jan Withagen User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "David D.W. Downey" References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> <414CAC56.8020601@withagen.nl> <6917b781040918150446b7dada@mail.gmail.com> In-Reply-To: <6917b781040918150446b7dada@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 22:25:53 -0000 David D.W. Downey wrote: >> <>OK, was a simple suggestion. (no derogatory tone meant). > I'm sorry. No intentions to put you down. The suggestions you made are very valid. And a lot of them were already in place. Please attribute it to being none native English >> <>I will say >> this much. adding each individual host that scans your machine >> instantly to your firewall WILL end up killing your machine due to >> lookups if this is in place during any large scan or direct port >> attacks. > I also have portsentry in a rather sensitive mode doing exactly the same thing. Trigger one of the "backdoor" ports, and you're out of my game. >> <>I do think you're being overly concerned about your log entries since >> this is *exactly* what the system is *supposed* to do, log the entries >> for further use by the admin if needed. There is no signal to noise >> reduction gained, since what you consider noise is what the system is >> *designed* to do. If you want to reduce the number of entries then >> reduce the # of entries it logs (aka when you enable the verbose_limit >> count it won't log any more than that number of attempts from a host. >> So set it to 2 or even 1 (i would suggest 2 so you only get what >> should be considered a bona fide failure) ) > True, and perhaps even more true. BUT since I've now concluded that there are script-kiddies trying ssh-breakins at nausium. This logging gets a totally different meaning. I don't need to see these specific warnings myself anymore, it is a full indication of a host that is no longer under his masters control. So instead of writing to see if the attacks get any smarter, just deny full access. Blunt but effective. Note that this is on a server of one of my customers. And having seen the havoc of previously hacked systems of the ISP where I worked, I prefer to be a little more safe. The only reason that this would kill my machine, is when the list of IP-numbers gets so large that it keeps the system from doing anything else any more. But it has not come this far yet, Moore's law outpaces this problem by far. >> <>If you want to enable firewalling based on that information then >> you're going to have to write a custom script to cull the information >> from the logfiles or enable some ports NIDs, or 3rd party NIDS to do >> this for you. (Such as maybe portsentry and hostsentry for a basic >> choice option set) > I used to run one of such tools, but found those just a little bit too inaccurate to actually trust it for this job. Remeber that you do not have the time to turn over the logfile at midnight, and then start blocking ip-nummbers. It has to be done at first sight of a possible attempt to break into the system. But perhaps I'll start runing that again. --WjW