Date: Thu, 21 Aug 2008 13:31:00 -0700 From: Julian Elischer <julian@elischer.org> To: Kevin Oberman <oberman@es.net> Cc: Mikhail Teterin <mi+mill@aldan.algebra.com>, freebsd-stable@FreeBSD.org, freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts Message-ID: <48ADD084.9070707@elischer.org> In-Reply-To: <20080821184947.BDAE94500F@ptavv.es.net> References: <20080821184947.BDAE94500F@ptavv.es.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Kevin Oberman wrote:
>> Date: Thu, 21 Aug 2008 13:38:38 -0400
>> From: Mikhail Teterin <mi+mill@aldan.algebra.com>
>> Sender: owner-freebsd-stable@freebsd.org
>>
>> Hello!
>>
>> A machine I manage remotely for a friend comes under a distributed ssh
>> break-in attack every once in a while. Annoyed (and alarmed) by the
>> messages like:
>>
>> Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
>> Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180
>> Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180
>> Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180
>>
>> I wrote an awk-script, which adds a block of the attacking IP-address to
>> the ipfw-rules after three such "invalid user" attempts with:
>>
>> ipfw add 550 deny ip from ip
>>
>> The script is fed by syslogd directly -- through a syslog.conf rule
>> ("|/opt/sbin/auth-log-watch").
>>
>> Once in a while I manually flush these rules... I this a good (safe)
>> reaction?
>> I'm asking, because the machine (currently running 7.0 as of July 7)
>> hangs solid once every few weeks... My only guess is that a spike in
>> attacks causes "too many" ipfw-entries created, which paralyzes the
>> kernel due to some bug -- the machine is running natd and is the gateway
>> for the rest of the network...
>> The hangs could, of course, be caused by something else entirely, but my
>> self-defense mechanism is my first suspect...
>>
>> Any comments? Thanks!
also, if you do this, have a single rule that uses a table
and add the addresses to the table.
>
> Looks remarkably like sshguard (ports/security/sshguard-*). It does almost
> exactly what you are doing but is written in C and has command-line
> switches to set how long a system is blocked, how many attempts
> constitute an attack and how long it should remember failed attempts. It
> also allows the use of back-end scripts if you want it to do something
> else such as generate reports (beyond an entry in /var/log/messages).
>
> As far as the hangs, I don't believe it is from the large nu,ber of
> brute force attempts as they will stop for a given host as soon as the
> firewall is updated. I seldom see more than a handful of attack sources
> over any short period.
>
> Should you want to continue with your own tool, at least for IPv4,
> consider using tables rather than a raft of rules. With tables, you need
> only a single rule and it is there at boot time.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48ADD084.9070707>