From owner-freebsd-isp@FreeBSD.ORG  Sat Jun  4 18:14:20 2005
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
X-Original-To: freebsd-isp@freebsd.org
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D3B3716A41F
	for <freebsd-isp@freebsd.org>; Sat,  4 Jun 2005 18:14:20 +0000 (GMT)
	(envelope-from john@day-light.com)
Received: from joseph.day-light.net (209-145-160-141.accessus.net
	[209.145.160.141])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0A4C143D54
	for <freebsd-isp@freebsd.org>; Sat,  4 Jun 2005 18:14:18 +0000 (GMT)
	(envelope-from john@day-light.com)
Received: from w1 (unknown [10.1.5.36])
	by joseph.day-light.net (Postfix) with SMTP
	id 175944F3E2; Sat,  4 Jun 2005 13:14:18 -0500 (CDT)
From: "John Brooks" <john@day-light.com>
To: "Brian Reichert" <reichert@numachi.com>
Date: Sat, 4 Jun 2005 13:14:28 -0500
Message-ID: <NHBBKEEMKJDINKDJBJHGKEOMJAAD.john@day-light.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
In-Reply-To: <20050604174732.GG79969@numachi.com>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Cc: freebsd-isp@freebsd.org
Subject: RE: inbound ssh ceased on 4 servers at same time
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: john@day-light.com
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jun 2005 18:14:20 -0000

Thanks, sounds good to do on the outward facing firewall. These
four freebsd boxes are protected behind an openbsd firewall so
none of the brute-force sshd attacks have ever reached them.

All four machines were updated (buildworld) exactly 30 days 
earlier, and all developed this behavior at the same time. 
Seems almost too much of a coincidence. I guess it's time to
start checksuming binaries with boxes on other networks not
exhibiting this problem.

--
John Brooks
john@day-light.com 

> -----Original Message-----
> From: Brian Reichert [mailto:reichert@numachi.com]
> Sent: Saturday, June 04, 2005 12:48 PM
> To: John Brooks
> Cc: freebsd-isp@freebsd.org
> Subject: Re: inbound ssh ceased on 4 servers at same time
> 
> 
> On Sat, Jun 04, 2005 at 12:10:28AM -0500, John Brooks wrote:
> > today at about noon, all four freebsd servers on a clients lan
> > quit accepting ssh connections.
> 
> I've been seeing a lot of brute-force sshd attacks, which leave
> a lot of connections in an awkward state.  I've done this for my
> primary sshd server, and seems to have alleviated my problems:
> 
> LoginGraceTime 60
> MaxStartups 10:30:60
> 
> > --
> > John Brooks
> > john@day-light.com 
> 
> -- 
> Brian Reichert				<reichert@numachi.com>
> 55 Crystal Ave. #286			Daytime number: (603) 434-6842
> Derry NH 03038-1725 USA			BSD admin/developer 
> at large	
>