From owner-freebsd-stable@FreeBSD.ORG Tue Dec 29 17:27:16 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBEF41065693 for ; Tue, 29 Dec 2009 17:27:16 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-yx0-f171.google.com (mail-yx0-f171.google.com [209.85.210.171]) by mx1.freebsd.org (Postfix) with ESMTP id 9A7758FC24 for ; Tue, 29 Dec 2009 17:27:16 +0000 (UTC) Received: by yxe1 with SMTP id 1so10392949yxe.3 for ; Tue, 29 Dec 2009 09:27:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:x-priority :message-id:cc:subject:in-reply-to:references:mime-version :content-type; bh=SuUQoYnadP69Lvvn4zymLYbsClGo6fFIW6EBho3OR0g=; b=BsKYvt6W8AK8uUzpjCGfwXOrpYS5IBfEUEXHjRyN7ajSTnLHt8BcXdMHBya1FbEb/6 RVYiWpjOSACnNI4J48TtdgKYz2XzWskxbdAPA8wewzZ03Qcrt3x7s0SSy7k3g+8jJkLB YvuvpXY53JB84iRluHaxEBMKLS/T/grfl+BUc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:x-priority:message-id:cc:subject:in-reply-to :references:mime-version:content-type; b=Xb63adyzs9OOzL4R7nVJHvaC9DiQ5uj9GjMdKFmiGuD7Zp6fBiWjtwTmUDoFlLDLU+ shVNWFPlD75v+YT41ilpoNlIwVIQ5rf/Lo/dzd/RJcTinxwOlMuUCFjDojQT51juewnO QhLZRG1CBBSsh8sDwIYDHqjDzr5qYSCl6Fmzk= Received: by 10.150.127.6 with SMTP id z6mr25025506ybc.145.1262107625877; Tue, 29 Dec 2009 09:27:05 -0800 (PST) Received: from blackcell.5p.local (ppp-22.183.dialinfree.com [209.172.22.183]) by mx.google.com with ESMTPS id 20sm12057051iwn.1.2009.12.29.09.26.58 (version=SSLv3 cipher=OTHER); Tue, 29 Dec 2009 09:27:02 -0800 (PST) Sender: "J. Hellenthal" Date: Tue, 29 Dec 2009 12:27:10 -0500 From: jhell X-Priority: 3 (Normal) Message-ID: <1507588526.20091229122710@dataix.net> CC: freebsd-stable@freebsd.org In-Reply-To: <20091229112037.GA34719@icarus.home.lan> References: <4B20B509.4050501@yahoo.it> <600C0C33850FFE49B76BDD81AED4D25801371D8056@IMCMBX3.MITRE.ORG> <600C0C33850FFE49B76BDD81AED4D25801371D8737@IMCMBX3.MITRE.ORG> <8bdcbc5f08e9b762c3d2dcfe2fd00558.HRCIM@webmail.1command.com> <6201873e0912281550w34937b9eg3498547722739aee@mail.gmail.com> <20091229112037.GA34719@icarus.home.lan> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------CD30835AEC7DB" Subject: Re: Hacked - FreeBSD 7.1-Release X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Dec 2009 17:27:17 -0000 ------------CD30835AEC7DB Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable =0D=0ATuesday, December 29, 2009, 6:20:37 AM, you wrote: > On Mon, Dec 28, 2009 at 05:50:23PM -0600, Adam Vande More wrote: >> On Mon, Dec 28, 2009 at 4:59 PM, Chris H wrote: >>=20 >> > >> > My point here was that by increasing the verbosity, you will more easi= ly be >> > able >> > to grep against login /failures/, and more easily discover dictionary/ >> > brute-force >> > attacks. It's certainly made my job easier, and hasn't required any >> > modifications >> > to our current policies. You /have/ considered PF(4), haven't you? It's >> > /really/ >> > an excellent strategy for securing your network. >> > >> > --Chris H >> > >> > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.o= rg" >> > >>=20 >> I use security/denyhosts for this, very simple to setup like 5 minutes if >> you're a fast reader. There are other options as well that offer similar >> functionality. > Then I simply do /etc/rc.d/pf check && /etc/rc.d/pf reload. > I also have a script that pushes out the pf.conf.ssh-deny machines > to other hosts on our network and executes the above commands. Increase verbosity ? why not just create a pflog file just for port 22 or whatever you listen on for ssh or some kind of login and parse that. See attached script for a start on parsing the explained pflog. I have been toying around with the attached idea that makes use of connection tracking in pf. pass in log quick proto { tcp } from any port >1024 to any port \ { $shports } label "SCT/Login:$dstport" keep state (max-src-conn 5, \ max-src-conn-rate 15/30 overload flush global) This has worked out quite well so far but the script that is attached has a few bugs and optimizations that could be made to it but it does its job regardless without third-party utilities. I have added some parsing of the pflogs through the use of tcpdump and sed to pull bad IPs out as well but do not use that on a regular basis. I have the script setup in a cron job to run once a hour and pull the IPs from the active table and combine the contents with the blacklist file and ultimately sort, uniq & reload the table with the contents of the blacklist file making adding IPs to the blacklist just add to the table on the next cron run.. Depending on where you put your blacklist deny rule you can be saving the rest of your services from the attackers to. Still lots of work to be done on this but I figured I would put it out there for someone else to toy with and see what comes out of it. Best regards. --=20 Tuesday, December 29, 2009 12:09:10 PM jhell ------------CD30835AEC7DB Content-Type: application/octet-stream; name="pflog_fil.sh" Content-transfer-encoding: base64 Content-Disposition: attachment; filename="pflog_fil.sh" IyEvYmluL3NoCgojCiMgRm9yIHVzZSB3aXRoIHRoZSBmb2xsb3dpbmcgcnVsZXMsIHRhYmxl cywgbWFjcm9zLgojCiMgdGFibGUgPGJsYWNrbGlzdD4gZmlsZSAiL2V0Yy9wZi5ob3N0cy1i bGFja2xpc3QiCiMgc2hwb3J0cz0iMjIiCiMgYmxvY2sgbG9nIHF1aWNrIGZyb20gPGJsYWNr bGlzdD4gbGFiZWwgIkJsYWNrbGlzdGVkIgojIHBhc3MgaW4gbG9nIHF1aWNrIHByb3RvIHsg dGNwIH0gZnJvbSBhbnkgcG9ydCA+MTAyNCB0byBhbnkgcG9ydCB7ICRzaHBvcnRzIH0gbGFi ZWwgIlNDVC9Mb2dpbjokZHN0cG9ydCIga2VlcCBzdGF0ZSAobWF4LXNyYy1jb25uIDUsIG1h eC1zcmMtY29ubi1yYXRlIDE1LzMwIG92ZXJsb2FkIDxibGFja2xpc3Q+IGZsdXNoIGdsb2Jh bCkKClRBQkxFPSJibGFja2xpc3QiCkJMSVNUPSIvZXRjL3BmLmhvc3RzLWJsYWNrbGlzdCIK UEZMT0c9Ii92YXIvbG9nL3BmbG9nKiIKCnRyYXAgJ2V4aXQgMScgMgoKdW1hc2sgMDc3CnJl YWRvbmx5IFRBQkxFIFBGTE9HIEJMSVNUCgpwZmN0bCAtdCAkVEFCTEUgLVQgc2hvdyA+Pi9k ZXYvbnVsbCAyPiYxCmlmIFsgJD8gLW5lIDAgXTsgdGhlbgogICAgICAgIGVjaG8gIiQwOiBU YWJsZSAkVEFCTEUgd2FzIG5vdCBmb3VuZCwgZXhpdGluZy4uLiIKICAgICAgICBleGl0IDEK ZmkKCmlmIFsgISAtZiAkQkxJU1QgXTsgdGhlbgogICAgICAgIGVjaG8gIiQwOiBGaWxlICRC TElTVCB3YXMgbm90IGZvdW5kLCBleGl0aW5nLi4uIgogICAgICAgIGV4aXQgMQpmaQoKVE1Q RklMRTE9JChta3RlbXAgL3RtcC8ucGZsb2dfZmlsLlhYWFhYWCkKVE1QRklMRTI9JChta3Rl bXAgL3RtcC8ucGZsb2dfZmlsLlhYWFhYWCkKaWYgWyAkPyAtbmUgMCBdOyB0aGVuCgllY2hv ICIkMDogQ2FuJ3QgY3JlYXRlIHRlbXAgZmlsZSwgZXhpdGluZy4uLiIKCWV4aXQgMQpmaQoK cmVhZG9ubHkgVE1QRklMRTEgVE1QRklMRTIKCl9wY2FwX2ZpbCgpewoJZm9yIGxvZ2ZpbGUg aW4gJFBGTE9HOyBkbwoJICBpZiBbIC1mICRsb2dmaWxlIF07IHRoZW4KCSAgCXRjcGR1bXAg LXRuciAkbG9nZmlsZSAyPi9kZXYvbnVsbCB8XAoJICAJYXdrICd7cHJpbnQgJDJ9JyB8XAoJ ICAJY3V0IC1mMS00IC1kLiB8XAoJICAJc2VkIC1lICdzLzE5MlwuMTY4XC4zMS4qLy8nIFwK CSAgCSAgICAtZSAncy8xXC4xXC4xXC4xLy8nIFwKCSAgCSAgICAtZSAncy8yXC4yXC4yXC4y Ly8nIFwKCSAgCSAgICAtZSAncy8wXC4wXC4wXC4wLy8nIFwKCSAgCSAgICAtZSAncy8uKjou Ki8vJyB8XAoJCXNvcnQgLW4gfHVuaXEKCSAgZWxzZQoJCWVjaG8gIiQwOiBObyBsb2cgZmls ZXMgZm91bmQsIGV4aXRpbmcuLi4iCgkJZXhpdCAxCgkgIGZpCglkb25lCn0KCiMgVW5jb21t ZW50IHRoaXMgbGluZSB0byB1c2UgSVBzIGZyb20gcGZsb2dzLgojIFdBUk5JTkc6IEJlIGNh cmVmdWwgdGhhdCB5b3VyIGdvb2QgaG9zdHMgZG8gbm90CiMgYWN0dWFseSBnZXQgYmxhY2ts aXN0ZWQgYnkgdGhpcy4KI19wY2FwX2ZpbCB8c29ydCAtbiB8dW5pcSAtICRUTVBGSUxFMQoK Y2F0ICRCTElTVCB8YXdrICd7cHJpbnQgJDF9JyA+PiRUTVBGSUxFMQpwZmN0bCAtdCAkVEFC TEUgLVQgc2hvdyB8YXdrICd7cHJpbnQgJDF9JyA+PiRUTVBGSUxFMQoKZm9yIGlwYWRkciBp biAkKGNhdCAkVE1QRklMRTEpOyBkbwogICAgICAgIGVjaG8gJGlwYWRkciA+PiRUTVBGSUxF Mgpkb25lCgplY2hvICJTdGF0aXN0aWNzOiIKZWNobyAiIC0gT2xkIGNvdW50IGluIHRhYmxl IHN0b3JlOiIgO3djIC1sICRCTElTVCA7ZWNobwpzb3J0IC1uICRUTVBGSUxFMiB8dW5pcSAt ICRCTElTVAplY2hvICIgLSBOZXcgY291bnQgaW4gdGFibGUgc3RvcmU6IiA7d2MgLWwgJEJM SVNUIDtlY2hvCmVjaG8gIiAtIENoYW5nZXMgdG8gcnVubmluZyB0YWJsZToiCmVjaG8gLW4g IiAgICAgICAiCnBmY3RsIC10ICRUQUJMRSAtVCBhZGQgYGNhdCAkQkxJU1RgCgpybSAtZiAk VE1QRklMRTEgJFRNUEZJTEUyCg== ------------CD30835AEC7DB--