From owner-freebsd-questions@FreeBSD.ORG Mon Feb 6 17:18:18 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7A6016A420 for ; Mon, 6 Feb 2006 17:18:18 +0000 (GMT) (envelope-from noeldude@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32B1143D45 for ; Mon, 6 Feb 2006 17:18:18 +0000 (GMT) (envelope-from noeldude@gmail.com) Received: by uproxy.gmail.com with SMTP id j3so61571ugf for ; Mon, 06 Feb 2006 09:18:16 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tLFFW8dNPomv3pGTfQAbbDzWwatra7ol5DROB7Li3gz2jjtIykB8YoIxKguAIPdXV+Wi0f50J2QjeCfe7ctBPbzCtXYWi5WLI12hsTUy14u3CW7qgtjeOIzSRJFokIR0Ke0/Vwhdr6AlvtRc376si77KLA593QaSjHKVjG5FJaI= Received: by 10.49.59.19 with SMTP id m19mr1052421nfk; Mon, 06 Feb 2006 09:18:16 -0800 (PST) Received: by 10.49.9.1 with HTTP; Mon, 6 Feb 2006 09:18:16 -0800 (PST) Message-ID: Date: Mon, 6 Feb 2006 11:18:16 -0600 From: Noel Jones To: freebsd-questions@freebsd.org In-Reply-To: <20060206162304.GA83056@gilmer.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060206162304.GA83056@gilmer.org> Subject: Re: sshd possible breakin attempt messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2006 17:18:19 -0000 On 2/6/06, Brad Gilmer wrote: > Hello all, > > I guess one of the banes of our existance as Sys Admins is that people ar= e always pounding away at our systems trying to break in. Lately, I have b= een getting hit with several hundred of the messages below per dayin my sec= urity report output... > > gilmer.org login failures: > Feb 5 11:18:17 gilmer sshd[78078]: reverse mapping checking getaddrinfo = for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! > Feb 5 11:18:18 gilmer sshd[78080]: reverse mapping checking getaddrinfo = for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! > Feb 5 11:18:20 gilmer sshd[78082]: reverse mapping checking getaddrinfo = for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! > > I am running FreeBSD 5.4 RELEASE, and right now this box is not a product= ion machine, but I am going to be taking it live fairly soon. Questions: > > 1) Is there anything I should be doing to thwart this particular attack? The POSSIBLE BREAKIN ATTEMPT message is caused by a failed reverse DNS lookup, and will happen with legit logins too if you have no reverse DNS. You can silence this particular message by adding to your /etc/ssh/sshd_config: UseDNS no To prevent attackers from hammering away at your server, try ports/security/bruteforceblocker Bruteforceblocker by default adds an abusive IP to the a pf firewall blacklist, but can be very easily modified for IPFW or adding a null route. > 2) Given that I am on 5.4, should I upgrade my sshd or do anything else = at this point to make sure my machine is as secure as possible? Just keep up with the version 5 security patches. > 3) (Meta-question) - Should I upgrade to 6.0 before I go live to be sure= I am in the best possible security situation going forward? Should I wait= until 6.1 for bug fixes (generally I am opposed to n.0 anything). Your call. Base your decision on what features you need. -- Noel Jones