From owner-freebsd-hackers@FreeBSD.ORG Fri Oct 2 23:47:46 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA8901065679; Fri, 2 Oct 2009 23:47:46 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-qy0-f192.google.com (mail-qy0-f192.google.com [209.85.221.192]) by mx1.freebsd.org (Postfix) with ESMTP id 682B38FC18; Fri, 2 Oct 2009 23:47:46 +0000 (UTC) Received: by qyk30 with SMTP id 30so1779411qyk.7 for ; Fri, 02 Oct 2009 16:47:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:cc :subject:in-reply-to:message-id:references:user-agent :x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; bh=agTgDxpnsCVT9Rtl3yybxzualWgXR0NsnyotDWyuGx8=; b=QpF66uaC9b/4mQmERm7lrdsOSKr9ssTs+fXmWpru37T99dUyb/aOmuy0Y/FIcIQ7OR scVwlsBx8bNYc6ldjl724lGmWSmhQj+l6lxj/KOeHuWMGKiZdVX8zhdz6Z0uC+xtnGbF HRfmJ8keTILkC3W7fRuDZlyZ57iYgXKbOBfkk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=HqhzBy3REJEVMX5LJGiT2olRYH+J6OJckW8KdxVv5hdVgDtWfJwePz2nMAD/g+/4g8 GfyPpolU7Y9HSR+lGqXKywN+vJ0SM+QvFtgJMifX9ELp6XRV5fl3ZUskyRYBRdsqhCJD o0IaRQpQNizjrL6RoNFRaZxLdMVNp1fFTDpG8= Received: by 10.224.60.9 with SMTP id n9mr1650916qah.31.1254526065644; Fri, 02 Oct 2009 16:27:45 -0700 (PDT) Received: from dimension.5p.local ([99.35.15.84]) by mx.google.com with ESMTPS id 26sm371387qwa.50.2009.10.02.16.27.43 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 02 Oct 2009 16:27:44 -0700 (PDT) Sender: "J. Hellenthal" Date: Fri, 2 Oct 2009 19:27:33 -0400 From: jhell To: Greg Larkin In-Reply-To: <4AC66E07.4030605@FreeBSD.org> Message-ID: References: <20091002201039.GA53034@flint.openpave.org> <4AC66E07.4030605@FreeBSD.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Cc: Jeremy Lea , freebsd-hackers@freebsd.org Subject: Re: Distributed SSH attack X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 23:47:46 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 2 Oct 2009 17:17 -0000, glarkin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jeremy Lea wrote: > > Hi, > > > > This is off topic to this list, but I dont want to subscribe to -chat > > just to post there... Someone is currently running a distributed SSH > > attack against one of my boxes - one attempted login for root every > > minute or so for the last 48 hours. They wont get anywhere, since the > > box in question has no root password, and doesn't allow root logins via > > SSH anyway... > > > > But I was wondering if there were any security researchers out there > > that might be interested in the +-800 IPs I've collected from the > > botnet? The resolvable hostnames mostly appear to be in Eastern Europe > > and South America - I haven't spotted any that might be 'findable' to > > get the botnet software. > > > > I could switch out the machine for a honeypot in a VM or a jail, by > > moving the host to a new IP, and if you can think of a way of allowing > > the next login to succeed with any password, then you could try to see > > what they delivered... But I don't have a lot of time to help. > > > > Regards, > > -Jeremy > > > > Hi Jeremy, > > You could set up DenyHosts and contribute to the pool of IPs that are > attempting SSH logins on the Net: > http://denyhosts.sourceforge.net/faq.html#4_0 > > It also looks like there's been quite a spike of SSH login activity > recently: http://stats.denyhosts.net/stats.html > > Hope that helps, > Greg > - -- > Greg Larkin > > http://www.FreeBSD.org/ - The Power To Serve > http://www.sourcehosting.net/ - Ready. Set. Code. > http://twitter.com/sourcehosting/ - Follow me, follow you > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iD8DBQFKxm4H0sRouByUApARAtnPAKCQuivQdE1s0ZZnUO6qVWA87N8ZKgCgjyYD > Tbv+hWI+KoXYsEpt0n4gW5k= > =xCz7 > -----END PGP SIGNATURE----- > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > Another temporary to long term solution might be the following utilities, ports/security/sshguard-pf ports/security/expiretable This is more of a pf based solution so that's up to your policies and decision. Giving thanks to the post about DenyHosts I didn't know that existed till this point. Best regards. - -- %{----------------------------------------------------+ | dataix.net!jhell 2048R/89D8547E 2009-09-30 | | BSD since FreeBSD 4.2 Linux since Slackware 2.1 | | 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E | +----------------------------------------------------%} -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) iQEcBAEBAgAGBQJKxoxtAAoJEJBXh4mJ2FR+BLQIAIm4nAh8TinDB/QOI6RX2xxO CSv46ZxoRlr2uv3FF5LmIVhPt0tskSrO+WLP0Xjm2ORB05tiFRpbzMBRawH41J1p 0USI90j+y9UzXinGRX9vt3GAofRkfuQuXXMUMAwTCZY1+EyzOP/K0dfRTSTj24LH 386epgCU3FA8S9UqKSPSdpQNxf+Yq/urd6ykfOTtcMUh/m2bakYIgwtVb4zOe+34 lpTlsXxuPcv9WtcOkqkj8LhZgFYKTRajfiw/G8cCnHqlaKuSDSH1hPEu7ePUAC5o wj6TZWh186astBg2WtfIke5zKKQz2ELyT5a3GvhWxR4/l9QWN5F0ZX7TuzaWK1M= =vtNQ -----END PGP SIGNATURE-----