From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 18:47:24 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2492C1065676 for ; Thu, 21 Aug 2008 18:47:24 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.freebsd.org (Postfix) with ESMTP id B611B8FC25 for ; Thu, 21 Aug 2008 18:47:23 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.13.3/8.13.3) with ESMTP id m7LIVVTr008995; Thu, 21 Aug 2008 11:31:31 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.13.3/8.13.1/Submit) id m7LIVUVj008994; Thu, 21 Aug 2008 11:31:30 -0700 (PDT) (envelope-from david) Date: Thu, 21 Aug 2008 11:31:30 -0700 From: David Wolfskill To: Mikhail Teterin Message-ID: <20080821183130.GQ801@bunrab.catwhisker.org> Mail-Followup-To: David Wolfskill , Mikhail Teterin , freebsd-security@freebsd.org, freebsd-stable@freebsd.org References: <48ADA81E.7090106@aldan.algebra.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+r+clu82y77Ss1pj" Content-Disposition: inline In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 18:47:24 -0000 --+r+clu82y77Ss1pj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 21, 2008 at 01:38:38PM -0400, Mikhail Teterin wrote: > ... > I wrote an awk-script, which adds a block of the attacking IP-address to= =20 > the ipfw-rules after three such "invalid user" attempts with: >=20 > ipfw add 550 deny ip from ip >=20 > The script is fed by syslogd directly -- through a syslog.conf rule=20 > ("|/opt/sbin/auth-log-watch"). > ...=20 At a previous employer, we were building mail relay boxen (FreeBSD 6.0 - 6.2 timeframe); at one point, It Was Decided that rather than having /var/log/maillog written directly by syslogd(8), syslogd(8) would feed a Perl script that would do some "Database Things" and then get around to appending to /var/log/maillog itself. While the amount of work involved was assuredly greater in that case than in yours, those of us who were actually building and running the relays in question were very unsurprised when Postfix performance improved significantly following a redesign of the application, so that /var/log/maillog was written by syslogd(8) and the Perl script was effectively fed via "tail -F". > Once in a while I manually flush these rules... I this a good (safe)=20 > reaction? I also see such things (on my home "firewall" machine); my approach is quite a bit different. If folks are interested, I could probably discuss it a bit, but I believe that would be, at best, tangential to your note, and thus ought not be crafted as if it were part of the thread -- and definitely does not warrant the cross-post. > ... Peace, david --=20 David H. Wolfskill david@catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --+r+clu82y77Ss1pj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkittIIACgkQmprOCmdXAD22uwCfbM1kpezwsRsPJt/4t20j0LBN HSUAnjLBhFMC02ACxdm8wk1QQH7WARup =Bmrv -----END PGP SIGNATURE----- --+r+clu82y77Ss1pj--