From owner-freebsd-security@FreeBSD.ORG Mon Sep 27 15:21:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F50B16A4D0 for ; Mon, 27 Sep 2004 15:21:59 +0000 (GMT) Received: from smtp17.wxs.nl (smtp17.wxs.nl [195.121.6.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA4AB43D39 for ; Mon, 27 Sep 2004 15:21:55 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp17.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0I4P00GI2HCGKX@smtp17.wxs.nl> for freebsd-security@freebsd.org; Mon, 27 Sep 2004 17:21:54 +0200 (CEST) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i8RFKlPT000578; Mon, 27 Sep 2004 17:21:46 +0200 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i8QNiIoc011534; Mon, 27 Sep 2004 01:44:18 +0200 Content-return: prohibited Date: Mon, 27 Sep 2004 01:44:18 +0200 From: Alex de Kruijff In-reply-to: <41573667.6080509@withagen.nl> To: Willem Jan Withagen Message-id: <20040926234418.GA1077@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> <20040924214909.GA784@alex.lan> <6917b78104092601339f77948@mail.gmail.com> <41573667.6080509@withagen.nl> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f cc: "freebsd-security@FreeBSD.ORG" cc: "David D.W. Downey" Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Sep 2004 15:21:59 -0000 On Sun, Sep 26, 2004 at 11:36:39PM +0200, Willem Jan Withagen wrote: > David D.W. Downey wrote: > > >On Fri, 24 Sep 2004 23:49:09 +0200, Alex de Kruijff > > wrote: > > > > > >>>Then you can still see the attempts (and thus log the IP information > >>>for contacting the abuse@ for the responsible IP controller) while > >>>limiting your log sizes. > >>> > >>> > >>This only logs the first tree catches (when the log attribuut is set) > >>per rule. You may want to set this a little higher like 100. > >> > >> > >> > > > >while I agree my example of 3 was low (meant only to instruct) I would > >say more along the lines of 25. if someone is hitting you 25 times in > >a row and getting tagged by that rule, you can bet your butt it's not > >a client of your's. The way I understand it was that the rule doesn't discriminate on the basis of IP. It juist counts them all to gether. But I could be wrong about this. > > > It is even simpler: > Anybody trying to use root as user for ssh-login is not a customer > of mine.... > And if he has not figured out that he's doing something wrong after > 3 tries, little chance that he is really just making a mistake. This is the perspective of sshd. IPFW can't see this and this value is set for all rules. I use the loggin facility mainly as a debugging tool. If I want a certain appliction to work that is being blocked by ipfw, then I flush the rule counters, run the app, check the log file, then add rules based on my findings and then do it all again until I can run the app. My fear is that don't catch te rules you want to catch, if you set this value to low, while with a large(r) value, you still stop the logging. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/