Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Dec 2009 09:14:32 -0800
From:      David Wolfskill <david@catwhisker.org>
To:        freebsd-stable@freebsd.org
Subject:   Re: Hacked - FreeBSD 7.1-Release
Message-ID:  <20091229171432.GN470@bunrab.catwhisker.org>
In-Reply-To: <20091229112037.GA34719@icarus.home.lan>
References:  <bd52e0bd614fbaffcf8c9ff9da35286e@mail.isot.com> <4B20B509.4050501@yahoo.it> <600C0C33850FFE49B76BDD81AED4D25801371D8056@IMCMBX3.MITRE.ORG> <ce92ed41260c438977298c2cf9dd1e3f.HRCIM@webmail.1command.com> <600C0C33850FFE49B76BDD81AED4D25801371D8737@IMCMBX3.MITRE.ORG> <8bdcbc5f08e9b762c3d2dcfe2fd00558.HRCIM@webmail.1command.com> <6201873e0912281550w34937b9eg3498547722739aee@mail.gmail.com> <20091229112037.GA34719@icarus.home.lan>

next in thread | previous in thread | raw e-mail | index | archive | help

--PEFDyIIeORe/70g6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 29, 2009 at 03:20:37AM -0800, Jeremy Chadwick wrote:
> ...
> I've written my own script to do all of this.  It parses periodic
> security mails (on a daily basis), and does WHOIS lookups + parses the
> results to tell me what netblocks/CIDRs I should consider blocking.  For
> example, for a security mail that contains this:
>=20
> horus.sc1.parodius.com login failures:
> Dec 28 15:54:49 horus sshd[74684]: Failed password for root from 199.71.2=
14.240 port 51197 ssh2
> Dec 28 15:54:49 horus sshd[74686]: Invalid user test from 199.71.214.240
> Dec 28 18:39:24 horus sshd[84742]: Failed password for root from 208.94.2=
35.248 port 42979 ssh2
> Dec 28 18:39:25 horus sshd[84744]: Failed password for root from 208.94.2=
35.248 port 43056 ssh2
> Dec 28 18:39:25 horus sshd[84746]: Failed password for root from 208.94.2=
35.248 port 43156 ssh2
> Dec 28 18:39:26 horus sshd[84749]: Failed password for root from 208.94.2=
35.248 port 43265 ssh2
> Dec 28 18:39:27 horus sshd[84751]: Failed password for root from 208.94.2=
35.248 port 43356 ssh2
>=20
> The script would output the following:
>=20
> 199.71.214.240
>         199.71.212.0/22        Psychz Networks, Walnut, CA, US
> 208.94.235.248
>         208.94.232.0/22        WZ Communications Inc., Madison, WI, US
>         208.94.235.0/24        Soft-Com.biz, Inc., Panama, NA, PA
>=20
> Then manually (this is intentional) I go and add the entries I feel
> are relevant to a file called pf.conf.ssh-deny which our systems use to
> block SSH access.
> ...

I do something somewhat similar, though the implementation is rather
different.  Like Jeremy, I choose to make the actual actions intentionally
manual.

Among salient points:

* Because I'm fairly familiar with it, I (still) use IPFW.
* I received a bit of a "prod" (thanks, Julian!) to use IPFW tables;
  that's been quite helpful.
* I use a moderately quaint (and probably embarrassing) mixture of Perl
  & Bourne shell scripts, as well as make, to extract the netblock
  information from WHOIS, and to construct a persistent store that's
  referenced at boot time.
* As a general rule, I try to report activity such as the above (to the
  listed contact(s) from WHOIS).  (When I do, I Bcc: myself and keep a
  opy of all salient correspondence.  Or bounce-o-grams.)
* For SSH (in particular), I do not rely only on the /var/log/security
  entries created by sshd.  Rather, I also configure IPFW to log all SSH
  session-establishment requests.  If I report the unwanted ativity, I
  provide both sets of log excerpts.  (I often find probes logged by
  IPFW that sshd does not log.  And yes, I check the "block" list before
  IPFW logs a "sucessful" SSH session-establishment request packet.)
* I use one table to block access to SSH.  I have another for extreme
  cases of abuse, where I block all traffic in either direction, and a
  third for access to my Web server.  I suppose I could also do something
  similar for SMTP....
* I use this for machines that (may) connect directly to the Internet;
  thus, my "firewall" machine certainly qualifies -- but so does my laptop.
* I have no mechanism in place to identify, let alone prune, stale
  entries.

Peace,
david
--=20
David H. Wolfskill				david@catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.

--PEFDyIIeORe/70g6
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iEYEARECAAYFAks6OPgACgkQmprOCmdXAD02SACfdCV4xkdzP0eKqtPu/0iH/FIL
TKYAnAvOjdUwol9UDSqj/ADQqmpXtIdo
=R8M9
-----END PGP SIGNATURE-----

--PEFDyIIeORe/70g6--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091229171432.GN470>