Date: Thu, 21 Aug 2008 13:28:30 -0600 From: Neil Neely <neil@neely.cx> To: Mikhail Teterin <mi+mill@aldan.algebra.com> Cc: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts Message-ID: <B9E94DF3-52B5-4A5E-9BDF-18773F34DF91@neely.cx> In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> References: <48ADA81E.7090106@aldan.algebra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I haven't explored this issue enough to speak with any authority - but once upon a time I had an app doing tons of ipfw rule add/removes all the time and we had no end of performance and stability problems on that box (this would have been in 4.x or so timeline I expect). As that approach wasn't really critical we abandoned it without really digging into the details. Years later a need for lots of rapid firewall changes came up again and I drilled into it and found the use of tables was excellent for doing this and it does the job very well. This is approach is on a FreeBSD 6.3 box. ipfw add 00550 deny ip from 'table(1)' to any Then just add remove entries to table 1 via: ipfw table 1 add 10.1.1.22/32 ipfw table 1 delete 10.1.1.22/32 show all entries in table 1 with: ipfw table 1 list Clear out the whole of table 1 ipfw table 1 flush I can't be sure if this relates to your particular issue, but I would recommend trying it out. Neil Neely http://neil-neely.blogspot.com On Aug 21, 2008, at 11:38 AM, Mikhail Teterin wrote: > Hello! > > A machine I manage remotely for a friend comes under a distributed > ssh break-in attack every once in a while. Annoyed (and alarmed) by > the messages like: > > Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from > 85.234.158.180 > Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from > 85.234.158.180 > Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from > 85.234.158.180 > Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from > 85.234.158.180 > > I wrote an awk-script, which adds a block of the attacking IP- > address to the ipfw-rules after three such "invalid user" attempts > with: > > ipfw add 550 deny ip from ip > > The script is fed by syslogd directly -- through a syslog.conf rule > ("|/opt/sbin/auth-log-watch"). > > Once in a while I manually flush these rules... I this a good (safe) > reaction? > I'm asking, because the machine (currently running 7.0 as of July 7) > hangs solid once every few weeks... My only guess is that a spike in > attacks causes "too many" ipfw-entries created, which paralyzes the > kernel due to some bug -- the machine is running natd and is the > gateway for the rest of the network... > The hangs could, of course, be caused by something else entirely, > but my self-defense mechanism is my first suspect... > > Any comments? Thanks! > > -mi > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > "
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B9E94DF3-52B5-4A5E-9BDF-18773F34DF91>