Date: Tue, 29 Dec 2009 09:14:32 -0800 From: David Wolfskill <david@catwhisker.org> To: freebsd-stable@freebsd.org Subject: Re: Hacked - FreeBSD 7.1-Release Message-ID: <20091229171432.GN470@bunrab.catwhisker.org> In-Reply-To: <20091229112037.GA34719@icarus.home.lan> References: <bd52e0bd614fbaffcf8c9ff9da35286e@mail.isot.com> <4B20B509.4050501@yahoo.it> <600C0C33850FFE49B76BDD81AED4D25801371D8056@IMCMBX3.MITRE.ORG> <ce92ed41260c438977298c2cf9dd1e3f.HRCIM@webmail.1command.com> <600C0C33850FFE49B76BDD81AED4D25801371D8737@IMCMBX3.MITRE.ORG> <8bdcbc5f08e9b762c3d2dcfe2fd00558.HRCIM@webmail.1command.com> <6201873e0912281550w34937b9eg3498547722739aee@mail.gmail.com> <20091229112037.GA34719@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
--PEFDyIIeORe/70g6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 29, 2009 at 03:20:37AM -0800, Jeremy Chadwick wrote: > ... > I've written my own script to do all of this. It parses periodic > security mails (on a daily basis), and does WHOIS lookups + parses the > results to tell me what netblocks/CIDRs I should consider blocking. For > example, for a security mail that contains this: >=20 > horus.sc1.parodius.com login failures: > Dec 28 15:54:49 horus sshd[74684]: Failed password for root from 199.71.2= 14.240 port 51197 ssh2 > Dec 28 15:54:49 horus sshd[74686]: Invalid user test from 199.71.214.240 > Dec 28 18:39:24 horus sshd[84742]: Failed password for root from 208.94.2= 35.248 port 42979 ssh2 > Dec 28 18:39:25 horus sshd[84744]: Failed password for root from 208.94.2= 35.248 port 43056 ssh2 > Dec 28 18:39:25 horus sshd[84746]: Failed password for root from 208.94.2= 35.248 port 43156 ssh2 > Dec 28 18:39:26 horus sshd[84749]: Failed password for root from 208.94.2= 35.248 port 43265 ssh2 > Dec 28 18:39:27 horus sshd[84751]: Failed password for root from 208.94.2= 35.248 port 43356 ssh2 >=20 > The script would output the following: >=20 > 199.71.214.240 > 199.71.212.0/22 Psychz Networks, Walnut, CA, US > 208.94.235.248 > 208.94.232.0/22 WZ Communications Inc., Madison, WI, US > 208.94.235.0/24 Soft-Com.biz, Inc., Panama, NA, PA >=20 > Then manually (this is intentional) I go and add the entries I feel > are relevant to a file called pf.conf.ssh-deny which our systems use to > block SSH access. > ... I do something somewhat similar, though the implementation is rather different. Like Jeremy, I choose to make the actual actions intentionally manual. Among salient points: * Because I'm fairly familiar with it, I (still) use IPFW. * I received a bit of a "prod" (thanks, Julian!) to use IPFW tables; that's been quite helpful. * I use a moderately quaint (and probably embarrassing) mixture of Perl & Bourne shell scripts, as well as make, to extract the netblock information from WHOIS, and to construct a persistent store that's referenced at boot time. * As a general rule, I try to report activity such as the above (to the listed contact(s) from WHOIS). (When I do, I Bcc: myself and keep a opy of all salient correspondence. Or bounce-o-grams.) * For SSH (in particular), I do not rely only on the /var/log/security entries created by sshd. Rather, I also configure IPFW to log all SSH session-establishment requests. If I report the unwanted ativity, I provide both sets of log excerpts. (I often find probes logged by IPFW that sshd does not log. And yes, I check the "block" list before IPFW logs a "sucessful" SSH session-establishment request packet.) * I use one table to block access to SSH. I have another for extreme cases of abuse, where I block all traffic in either direction, and a third for access to my Web server. I suppose I could also do something similar for SMTP.... * I use this for machines that (may) connect directly to the Internet; thus, my "firewall" machine certainly qualifies -- but so does my laptop. * I have no mechanism in place to identify, let alone prune, stale entries. Peace, david --=20 David H. Wolfskill david@catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --PEFDyIIeORe/70g6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAks6OPgACgkQmprOCmdXAD02SACfdCV4xkdzP0eKqtPu/0iH/FIL TKYAnAvOjdUwol9UDSqj/ADQqmpXtIdo =R8M9 -----END PGP SIGNATURE----- --PEFDyIIeORe/70g6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091229171432.GN470>