From owner-freebsd-isp@FreeBSD.ORG Sat Jun 4 19:31:42 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D203116A41C for ; Sat, 4 Jun 2005 19:31:42 +0000 (GMT) (envelope-from cody@wilkshire.net) Received: from virusproxy1.wilkshire.net (virusproxy1.wilkshire.net [12.111.120.21]) by mx1.FreeBSD.org (Postfix) with SMTP id 5333843D49 for ; Sat, 4 Jun 2005 19:31:42 +0000 (GMT) (envelope-from cody@wilkshire.net) Received: (qmail 75322 invoked by uid 5020); 4 Jun 2005 19:56:42 -0000 Received: from 12.111.120.20 by virusproxy1.wilkshire.net (envelope-from , uid 5013) with qmail-scanner-1.23 ( Clear:RC:1(12.111.120.20):. Processed in 0.156691 secs); 04 Jun 2005 19:56:42 -0000 Received: from mail.wilkshire.net (12.111.120.20) by virusproxy1.wilkshire.net with SMTP; 4 Jun 2005 19:56:41 -0000 Received: (qmail 74439 invoked by uid 0); 4 Jun 2005 19:28:04 -0000 Received: from unknown (HELO ?192.168.1.155?) (cody@12.111.122.84) by mail.wilkshire.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 4 Jun 2005 19:28:04 -0000 Message-ID: <42A20198.90603@wilkshire.net> Date: Sat, 04 Jun 2005 15:31:36 -0400 From: Cody Baker User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: john@day-light.com References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-isp@freebsd.org Subject: Re: inbound ssh ceased on 4 servers at same time X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Jun 2005 19:31:43 -0000 Are they really denying the connections or rather just timing out? We had a similar issue a while back where all of our back end servers on a private network were taking forever/never authenticating SSH and a few other services. It turned out that the reverse lookup started failing because in the past our upstream had 10.x.x.x set in their DNS to deliver an nxdomain. Whatever server they had that reverse zone pointed too was either taken offfline or setup to drop outside requests making it so when any of our systems on this private network would ssh to another it would try the reverse and sit for minutes waiting for a response. We solved this by adding setting our implementing a DNS server on this private network. Thank You, Cody Baker cody@wilkshire.net 330.874.9030 http://www.wilkshire.net John Brooks wrote: >Thanks, sounds good to do on the outward facing firewall. These >four freebsd boxes are protected behind an openbsd firewall so >none of the brute-force sshd attacks have ever reached them. > >All four machines were updated (buildworld) exactly 30 days >earlier, and all developed this behavior at the same time. >Seems almost too much of a coincidence. I guess it's time to >start checksuming binaries with boxes on other networks not >exhibiting this problem. > >-- >John Brooks >john@day-light.com > > > >>-----Original Message----- >>From: Brian Reichert [mailto:reichert@numachi.com] >>Sent: Saturday, June 04, 2005 12:48 PM >>To: John Brooks >>Cc: freebsd-isp@freebsd.org >>Subject: Re: inbound ssh ceased on 4 servers at same time >> >> >>On Sat, Jun 04, 2005 at 12:10:28AM -0500, John Brooks wrote: >> >> >>>today at about noon, all four freebsd servers on a clients lan >>>quit accepting ssh connections. >>> >>> >>I've been seeing a lot of brute-force sshd attacks, which leave >>a lot of connections in an awkward state. I've done this for my >>primary sshd server, and seems to have alleviated my problems: >> >>LoginGraceTime 60 >>MaxStartups 10:30:60 >> >> >> >>>-- >>>John Brooks >>>john@day-light.com >>> >>> >>-- >>Brian Reichert >>55 Crystal Ave. #286 Daytime number: (603) 434-6842 >>Derry NH 03038-1725 USA BSD admin/developer >>at large >> >> >> >_______________________________________________ >freebsd-isp@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-isp >To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > >