From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 00:30:15 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4296C106566B for ; Fri, 2 Oct 2009 00:30:15 +0000 (UTC) (envelope-from me@johnea.net) Received: from mail.johnea.net (johnea.net [70.167.123.7]) by mx1.freebsd.org (Postfix) with ESMTP id 2AE8C8FC12 for ; Fri, 2 Oct 2009 00:30:14 +0000 (UTC) Received: from [192.168.100.239] (vhost.johnea.net [192.168.100.239]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.johnea.net (Postfix) with ESMTPSA id E1DE273F184D for ; Thu, 1 Oct 2009 17:05:36 -0700 (PDT) Message-ID: <4AC545C3.9020608@johnea.net> Date: Thu, 01 Oct 2009 17:13:55 -0700 From: johnea User-Agent: Thunderbird 2.0.0.22 (X11/20090719) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 00:30:15 -0000 Hello, Sorry if this is dumb as ditch water but I just felt like I should ask. I'm been running an independent host here for the last 5 years with the usual toaster services: http, smtp, and imap all using ssl and ssh for remote login. I installed sshgaurd after dealing with the incessant brute force crack attempts. Lately I've been under ssh attack by a botnet with hundreds of IPs. The thing that concerned me is an entry I saw in netstat showing my system connecting back to a machine that was attempting to log in to ssh. This is where I may be a braindead noob, but is that normal? Does the ssh server establish a socket to a client attempting login? The details from netstat are below along with a bunch of other info that seemed relevant. Thank you so much for considering my question and for your work on the FreeBSD project. johnea ~~~~~~~~~~~~~~~~~~~~~~ issue information ~~~~~~~~~~~~~~~~~~~~~~ atom# openssl version OpenSSL 0.9.8e 23 Feb 2007 atom# uname -a FreeBSD atom.johnea.net 7.1-RELEASE-p6 FreeBSD 7.1-RELEASE-p6 #0: Tue Jun 9 16:26:47 UTC 2009 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 from netstat: tcp4 0 0 atom.60448 host154.advance.com.ar.auth TIME_WAIT tcp4 0 0 atom.ssh host154.advance.com.ar.37833 TIME_WAIT from auth.log: The same IP as above: Oct 1 15:51:56 atom sshd[84887]: warning: /etc/hosts.allow, line 37: can't verify hostname: getaddrinfo(host154.advance.com.ar, AF_INET) failed Other example entries from auth.log: Oct 1 13:45:55 atom sshd[82209]: error: PAM: authentication error for root from 222.211.93.81 Oct 1 13:47:14 atom sshd[82252]: error: PAM: authentication error for root from 217.77.72.115 Oct 1 13:47:29 atom sshd[82266]: error: PAM: authentication error for root from 60.170.80.198 Oct 1 13:48:23 atom sshd[82271]: error: PAM: authentication error for root from 201.26.169.150 Oct 1 13:49:11 atom sshd[82279]: error: PAM: authentication error for root from 200.36.249.22 Oct 1 13:50:11 atom sshd[82291]: error: PAM: authentication error for root from 80.152.227.160 Oct 1 13:50:47 atom sshd[82300]: error: PAM: authentication error for root from 80.108.8.74 Oct 1 13:51:38 atom sshd[82311]: error: PAM: authentication error for root from 58.60.106.119 Oct 1 13:52:27 atom sshd[82371]: error: PAM: authentication error for root from 200.36.249.22 Oct 1 13:53:21 atom sshd[82378]: error: PAM: authentication error for root from 74.218.172.158 Oct 1 13:54:05 atom sshd[82384]: error: PAM: authentication error for root from 220.248.9.163 Oct 1 13:54:55 atom sshd[82394]: error: PAM: authentication error for root from 58.60.106.199 Oct 1 13:56:31 atom sshd[82419]: error: PAM: authentication error for root from 222.128.48.222 Oct 1 13:57:22 atom sshd[82472]: error: PAM: authentication error for root from 83.65.166.74 Oct 1 13:58:20 atom sshd[82482]: error: PAM: authentication error for root from 81.244.253.110 Oct 1 13:59:02 atom sshd[82492]: error: PAM: authentication error for root from 76.12.185.151 Oct 1 13:59:49 atom sshd[82505]: error: PAM: authentication error for root from 200.41.97.213 Oct 1 14:00:00 atom newsyslog[82517]: logfile turned over due to size>100K Oct 1 15:50:58 atom sshd[84875]: error: PAM: authentication error for root from 74.56.151.159 Oct 1 15:51:56 atom sshd[84887]: warning: /etc/hosts.allow, line 37: can't verify hostname: getaddrinfo(host154.advance.com.ar, AF_INET) failed Oct 1 15:51:58 atom sshd[84887]: refused connect from 200.51.40.154 (200.51.40.154) Oct 1 15:52:49 atom sshd[84943]: warning: /etc/hosts.allow, line 37: can't verify hostname: getaddrinfo(static.khi77.pie.net.pk, AF_INET) failed Oct 1 15:52:49 atom sshd[84943]: refused connect from 221.120.201.71 (221.120.201.71) Oct 1 15:53:43 atom sshd[84955]: error: PAM: authentication error for root from 196.211.146.154 Oct 1 15:54:30 atom sshd[84964]: error: PAM: authentication error for root from 74.239.115.130 Oct 1 15:55:18 atom sshd[84990]: warning: /etc/hosts.allow, line 37: can't verify hostname: getaddrinfo(mail.iesmos.ru, AF_INET) failed Oct 1 15:55:19 atom sshd[84990]: refused connect from 217.147.21.166 (217.147.21.166) Oct 1 15:55:53 atom sshd[84994]: error: PAM: authentication error for root from 80.152.227.160 Oct 1 15:57:39 atom sshd[85042]: error: PAM: authentication error for root from 124.232.131.156 Oct 1 15:58:32 atom sshd[85048]: error: PAM: authentication error for root from 83.65.166.74 Oct 1 15:59:12 atom sshd[85062]: error: PAM: authentication error for root from 218.204.223.214 Oct 1 16:00:01 atom sshguard[83827]: Got exit signal, flushing blocked addresses and exiting... Oct 1 16:00:01 atom sshguard[85089]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Oct 1 16:00:03 atom sshd[85092]: warning: /etc/hosts.allow, line 37: can't verify hostname: getaddrinfo(adsl3-pool