Date: Tue, 29 Dec 2009 12:27:10 -0500 From: jhell <jhell@dataix.net> Cc: freebsd-stable@freebsd.org Subject: Re: Hacked - FreeBSD 7.1-Release Message-ID: <1507588526.20091229122710@dataix.net> In-Reply-To: <20091229112037.GA34719@icarus.home.lan> References: <bd52e0bd614fbaffcf8c9ff9da35286e@mail.isot.com> <4B20B509.4050501@yahoo.it> <600C0C33850FFE49B76BDD81AED4D25801371D8056@IMCMBX3.MITRE.ORG> <ce92ed41260c438977298c2cf9dd1e3f.HRCIM@webmail.1command.com> <600C0C33850FFE49B76BDD81AED4D25801371D8737@IMCMBX3.MITRE.ORG> <8bdcbc5f08e9b762c3d2dcfe2fd00558.HRCIM@webmail.1command.com> <6201873e0912281550w34937b9eg3498547722739aee@mail.gmail.com> <20091229112037.GA34719@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
------------CD30835AEC7DB
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
=0D=0ATuesday, December 29, 2009, 6:20:37 AM, you wrote:
> On Mon, Dec 28, 2009 at 05:50:23PM -0600, Adam Vande More wrote:
>> On Mon, Dec 28, 2009 at 4:59 PM, Chris H <chris#@1command.com> wrote:
>>=20
>> >
>> > My point here was that by increasing the verbosity, you will more easi=
ly be
>> > able
>> > to grep against login /failures/, and more easily discover dictionary/
>> > brute-force
>> > attacks. It's certainly made my job easier, and hasn't required any
>> > modifications
>> > to our current policies. You /have/ considered PF(4), haven't you? It's
>> > /really/
>> > an excellent strategy for securing your network.
>> >
>> > --Chris H
>> >
>> > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.o=
rg"
>> >
>>=20
>> I use security/denyhosts for this, very simple to setup like 5 minutes if
>> you're a fast reader. There are other options as well that offer similar
>> functionality.
> Then I simply do /etc/rc.d/pf check && /etc/rc.d/pf reload.
> I also have a script that pushes out the pf.conf.ssh-deny machines
> to other hosts on our network and executes the above commands.
Increase verbosity ? why not just create a pflog file just for port 22
or whatever you listen on for ssh or some kind of login and parse
that. See attached script for a start on parsing the explained pflog.
I have been toying around with the attached idea that makes use of
connection tracking in pf.
pass in log quick proto { tcp } from any port >1024 to any port \
{ $shports } label "SCT/Login:$dstport" keep state (max-src-conn 5, \
max-src-conn-rate 15/30 overload <blacklist> flush global)
This has worked out quite well so far but the script that is attached
has a few bugs and optimizations that could be made to it but it does
its job regardless without third-party utilities. I have added some
parsing of the pflogs through the use of tcpdump and sed to pull bad
IPs out as well but do not use that on a regular basis. I have the
script setup in a cron job to run once a hour and pull the IPs from
the active table and combine the contents with the blacklist file and
ultimately sort, uniq & reload the table with the contents of the
blacklist file making adding IPs to the blacklist just add to the
table on the next cron run..
Depending on where you put your blacklist deny rule you can be saving
the rest of your services from the attackers to.
Still lots of work to be done on this but I figured I would put it out
there for someone else to toy with and see what comes out of it.
Best regards.
--=20
Tuesday, December 29, 2009 12:09:10 PM
jhell
------------CD30835AEC7DB
Content-Type: application/octet-stream;
name="pflog_fil.sh"
Content-transfer-encoding: base64
Content-Disposition: attachment;
filename="pflog_fil.sh"
IyEvYmluL3NoCgojCiMgRm9yIHVzZSB3aXRoIHRoZSBmb2xsb3dpbmcgcnVsZXMsIHRhYmxl
cywgbWFjcm9zLgojCiMgdGFibGUgPGJsYWNrbGlzdD4gZmlsZSAiL2V0Yy9wZi5ob3N0cy1i
bGFja2xpc3QiCiMgc2hwb3J0cz0iMjIiCiMgYmxvY2sgbG9nIHF1aWNrIGZyb20gPGJsYWNr
bGlzdD4gbGFiZWwgIkJsYWNrbGlzdGVkIgojIHBhc3MgaW4gbG9nIHF1aWNrIHByb3RvIHsg
dGNwIH0gZnJvbSBhbnkgcG9ydCA+MTAyNCB0byBhbnkgcG9ydCB7ICRzaHBvcnRzIH0gbGFi
ZWwgIlNDVC9Mb2dpbjokZHN0cG9ydCIga2VlcCBzdGF0ZSAobWF4LXNyYy1jb25uIDUsIG1h
eC1zcmMtY29ubi1yYXRlIDE1LzMwIG92ZXJsb2FkIDxibGFja2xpc3Q+IGZsdXNoIGdsb2Jh
bCkKClRBQkxFPSJibGFja2xpc3QiCkJMSVNUPSIvZXRjL3BmLmhvc3RzLWJsYWNrbGlzdCIK
UEZMT0c9Ii92YXIvbG9nL3BmbG9nKiIKCnRyYXAgJ2V4aXQgMScgMgoKdW1hc2sgMDc3CnJl
YWRvbmx5IFRBQkxFIFBGTE9HIEJMSVNUCgpwZmN0bCAtdCAkVEFCTEUgLVQgc2hvdyA+Pi9k
ZXYvbnVsbCAyPiYxCmlmIFsgJD8gLW5lIDAgXTsgdGhlbgogICAgICAgIGVjaG8gIiQwOiBU
YWJsZSAkVEFCTEUgd2FzIG5vdCBmb3VuZCwgZXhpdGluZy4uLiIKICAgICAgICBleGl0IDEK
ZmkKCmlmIFsgISAtZiAkQkxJU1QgXTsgdGhlbgogICAgICAgIGVjaG8gIiQwOiBGaWxlICRC
TElTVCB3YXMgbm90IGZvdW5kLCBleGl0aW5nLi4uIgogICAgICAgIGV4aXQgMQpmaQoKVE1Q
RklMRTE9JChta3RlbXAgL3RtcC8ucGZsb2dfZmlsLlhYWFhYWCkKVE1QRklMRTI9JChta3Rl
bXAgL3RtcC8ucGZsb2dfZmlsLlhYWFhYWCkKaWYgWyAkPyAtbmUgMCBdOyB0aGVuCgllY2hv
ICIkMDogQ2FuJ3QgY3JlYXRlIHRlbXAgZmlsZSwgZXhpdGluZy4uLiIKCWV4aXQgMQpmaQoK
cmVhZG9ubHkgVE1QRklMRTEgVE1QRklMRTIKCl9wY2FwX2ZpbCgpewoJZm9yIGxvZ2ZpbGUg
aW4gJFBGTE9HOyBkbwoJICBpZiBbIC1mICRsb2dmaWxlIF07IHRoZW4KCSAgCXRjcGR1bXAg
LXRuciAkbG9nZmlsZSAyPi9kZXYvbnVsbCB8XAoJICAJYXdrICd7cHJpbnQgJDJ9JyB8XAoJ
ICAJY3V0IC1mMS00IC1kLiB8XAoJICAJc2VkIC1lICdzLzE5MlwuMTY4XC4zMS4qLy8nIFwK
CSAgCSAgICAtZSAncy8xXC4xXC4xXC4xLy8nIFwKCSAgCSAgICAtZSAncy8yXC4yXC4yXC4y
Ly8nIFwKCSAgCSAgICAtZSAncy8wXC4wXC4wXC4wLy8nIFwKCSAgCSAgICAtZSAncy8uKjou
Ki8vJyB8XAoJCXNvcnQgLW4gfHVuaXEKCSAgZWxzZQoJCWVjaG8gIiQwOiBObyBsb2cgZmls
ZXMgZm91bmQsIGV4aXRpbmcuLi4iCgkJZXhpdCAxCgkgIGZpCglkb25lCn0KCiMgVW5jb21t
ZW50IHRoaXMgbGluZSB0byB1c2UgSVBzIGZyb20gcGZsb2dzLgojIFdBUk5JTkc6IEJlIGNh
cmVmdWwgdGhhdCB5b3VyIGdvb2QgaG9zdHMgZG8gbm90CiMgYWN0dWFseSBnZXQgYmxhY2ts
aXN0ZWQgYnkgdGhpcy4KI19wY2FwX2ZpbCB8c29ydCAtbiB8dW5pcSAtICRUTVBGSUxFMQoK
Y2F0ICRCTElTVCB8YXdrICd7cHJpbnQgJDF9JyA+PiRUTVBGSUxFMQpwZmN0bCAtdCAkVEFC
TEUgLVQgc2hvdyB8YXdrICd7cHJpbnQgJDF9JyA+PiRUTVBGSUxFMQoKZm9yIGlwYWRkciBp
biAkKGNhdCAkVE1QRklMRTEpOyBkbwogICAgICAgIGVjaG8gJGlwYWRkciA+PiRUTVBGSUxF
Mgpkb25lCgplY2hvICJTdGF0aXN0aWNzOiIKZWNobyAiIC0gT2xkIGNvdW50IGluIHRhYmxl
IHN0b3JlOiIgO3djIC1sICRCTElTVCA7ZWNobwpzb3J0IC1uICRUTVBGSUxFMiB8dW5pcSAt
ICRCTElTVAplY2hvICIgLSBOZXcgY291bnQgaW4gdGFibGUgc3RvcmU6IiA7d2MgLWwgJEJM
SVNUIDtlY2hvCmVjaG8gIiAtIENoYW5nZXMgdG8gcnVubmluZyB0YWJsZToiCmVjaG8gLW4g
IiAgICAgICAiCnBmY3RsIC10ICRUQUJMRSAtVCBhZGQgYGNhdCAkQkxJU1RgCgpybSAtZiAk
VE1QRklMRTEgJFRNUEZJTEUyCg==
------------CD30835AEC7DB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1507588526.20091229122710>