From owner-freebsd-questions@FreeBSD.ORG Mon Feb 6 17:05:00 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0230416A420 for ; Mon, 6 Feb 2006 17:05:00 +0000 (GMT) (envelope-from kdk@daleco.biz) Received: from ezekiel.daleco.biz (southernuniform.com [66.76.92.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 750F343D45 for ; Mon, 6 Feb 2006 17:04:59 +0000 (GMT) (envelope-from kdk@daleco.biz) Received: from [192.168.2.2] ([69.27.149.254]) by ezekiel.daleco.biz (8.13.1/8.13.1) with ESMTP id k16H3nDp021307; Mon, 6 Feb 2006 11:04:10 -0600 (CST) (envelope-from kdk@daleco.biz) Message-ID: <43E7816B.7040300@daleco.biz> Date: Mon, 06 Feb 2006 11:03:39 -0600 From: Kevin Kinsey User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20060127 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brad Gilmer References: <20060206162304.GA83056@gilmer.org> In-Reply-To: <20060206162304.GA83056@gilmer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: sshd possible breakin attempt messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2006 17:05:00 -0000 Brad Gilmer wrote: >Hello all, > >I guess one of the banes of our existance as Sys Admins >is that people are always pounding away at our systems >trying to break in. Lately, I have been getting hit >with several hundred of the messages below per dayin my >security report output... > >gilmer.org login failures: >Feb 5 11:18:17 gilmer sshd[78078]: reverse mapping checking getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! >Feb 5 11:18:18 gilmer sshd[78080]: reverse mapping checking getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! >Feb 5 11:18:20 gilmer sshd[78082]: reverse mapping checking getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! > >I am running FreeBSD 5.4 RELEASE, and right now this >box is not a production machine, but I am going to be >taking it live fairly soon. Questions: > >1) Is there anything I should be doing to thwart this particular attack? > > IANAE on security, but there are several possibilities. Here are a couple ideas from my deadbeat security brain: 1. edit /etc/ssh/sshd_config and make sure that only the right users and such are allowed to login, and via the right methods. 2. If the situation allows, you can wrap sshd via /etc/hosts.allow to only allow logins from certain IP addresses (i.e., wherever you intend to admin this box from). Note that, as I mentioned, IANAE, and there is plenty of other "higher level" security actions that can be taken to secure a box from attack. Maybe some less-newbie-than-me guru will step up to the plate on that; maybe not. >2) Given that I am on 5.4, should I upgrade my sshd or do anything else >at this point to make sure my machine is as secure as possible? > > Check the advisories at the freebsd.org web site, and keep tracking RELENG_5_4 with cvsup/buildworld, etc. to stay up to date is a good starting point. >3) (Meta-question) - Should I upgrade to 6.0 before I go live to be >sure I am in the best possible security situation going forward? >Should I wait until 6.1 for bug fixes (generally I am opposed to n.0 anything). > > > Meta-answer, if possible from an idiot like me: 6.0 is actually a very notable exception to the "don't grab the zero release" rule in my case. YMMV, of course. Last week I upgraded my last 5.X boxen to 6.X, and I don't plan on looking back! Now, if I could just find time to backup/reinstall that 4.X boxen that's locked up so far away!!! >Thanks >Brad > > You're welcome. Kevin Kinsey -- << WAIT >>