Date: Thu, 21 Aug 2008 11:49:47 -0700 From: "Kevin Oberman" <oberman@es.net> To: Mikhail Teterin <mi+mill@aldan.algebra.com> Cc: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts Message-ID: <20080821184947.BDAE94500F@ptavv.es.net> In-Reply-To: Your message of "Thu, 21 Aug 2008 13:38:38 EDT." <48ADA81E.7090106@aldan.algebra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--==_Exmh_1219344587_4113P
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
> Date: Thu, 21 Aug 2008 13:38:38 -0400
> From: Mikhail Teterin <mi+mill@aldan.algebra.com>
> Sender: owner-freebsd-stable@freebsd.org
>
> Hello!
>
> A machine I manage remotely for a friend comes under a distributed ssh
> break-in attack every once in a while. Annoyed (and alarmed) by the
> messages like:
>
> Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180
>
> I wrote an awk-script, which adds a block of the attacking IP-address to
> the ipfw-rules after three such "invalid user" attempts with:
>
> ipfw add 550 deny ip from ip
>
> The script is fed by syslogd directly -- through a syslog.conf rule
> ("|/opt/sbin/auth-log-watch").
>
> Once in a while I manually flush these rules... I this a good (safe)
> reaction?
> I'm asking, because the machine (currently running 7.0 as of July 7)
> hangs solid once every few weeks... My only guess is that a spike in
> attacks causes "too many" ipfw-entries created, which paralyzes the
> kernel due to some bug -- the machine is running natd and is the gateway
> for the rest of the network...
> The hangs could, of course, be caused by something else entirely, but my
> self-defense mechanism is my first suspect...
>
> Any comments? Thanks!
Looks remarkably like sshguard (ports/security/sshguard-*). It does almost
exactly what you are doing but is written in C and has command-line
switches to set how long a system is blocked, how many attempts
constitute an attack and how long it should remember failed attempts. It
also allows the use of back-end scripts if you want it to do something
else such as generate reports (beyond an entry in /var/log/messages).
As far as the hangs, I don't believe it is from the large nu,ber of
brute force attempts as they will stop for a given host as soon as the
firewall is updated. I seldom see more than a handful of attack sources
over any short period.
Should you want to continue with your own tool, at least for IPv4,
consider using tables rather than a raft of rules. With tables, you need
only a single rule and it is there at boot time.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
--==_Exmh_1219344587_4113P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Exmh version 2.5 06/03/2002
iD8DBQFIrbjLkn3rs5h7N1ERAr+5AKC6DasTJv7CXULO/qPN71qXh0/K5gCeMKPa
ZXC9S7GRmW/vP4S03avkaZk=
=u5hk
-----END PGP SIGNATURE-----
--==_Exmh_1219344587_4113P--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080821184947.BDAE94500F>