From owner-freebsd-hackers@FreeBSD.ORG Sat Apr 24 13:46:49 2010 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A6A6106564A; Sat, 24 Apr 2010 13:46:49 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-qy0-f181.google.com (mail-qy0-f181.google.com [209.85.221.181]) by mx1.freebsd.org (Postfix) with ESMTP id A8A468FC1A; Sat, 24 Apr 2010 13:46:48 +0000 (UTC) Received: by qyk11 with SMTP id 11so12711856qyk.13 for ; Sat, 24 Apr 2010 06:46:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=4sK7hVV9Trk3/2nfVO5XhpHfvhqaOnBIpSLWUF4HkhU=; b=dunZ6UAoXuSpY+8Unv1014DTbENqYIVDQQfSPFMnRyA3EXrrfhVij87/Ng+08UFi59 oaV/trZOTVTqF1LHkEILoSHAKcKfIk8139dOGQa8tkMYaJRvsij4SPTBsCfpMhc+QJ7B A9OFxthRwvn6jADhLSyhbwhwBrUoXCp8uprqk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=viRJTkxEtKRvlkcIiZtq30Uyx6rMDUMOW+jYJtklqbyrKmFukm3da9CpYZTexXUSSZ aug19KFCA39r8p1RY9qTMxbU0v8dpMZHIjlTdimJylF98GSot1eTWdm7YsHxBij3c9lc qPvr2Z1wz5TLRhRCPJBnGxQosQQ8XC9j9EBjo= Received: by 10.224.44.11 with SMTP id y11mr434991qae.40.1272116807659; Sat, 24 Apr 2010 06:46:47 -0700 (PDT) Received: from centel.dataix.local (c-71-205-129-194.hsd1.mi.comcast.net [71.205.129.194]) by mx.google.com with ESMTPS id 6sm5425358qwd.13.2010.04.24.06.46.44 (version=SSLv3 cipher=RC4-MD5); Sat, 24 Apr 2010 06:46:45 -0700 (PDT) Sender: "J. Hellenthal" Message-ID: <4BD2F642.2050502@dataix.net> Date: Sat, 24 Apr 2010 09:46:42 -0400 From: jhell User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.9) Gecko/20100331 Thunderbird/3.0.4 MIME-Version: 1.0 To: krad References: <20091002201039.GA53034@flint.openpave.org> <4BC82259.90203@freebsd.org> In-Reply-To: X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Jeremy Lea , freebsd-hackers@freebsd.org, David Xu Subject: Re: Distributed SSH attack X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Apr 2010 13:46:49 -0000 On 04/16/2010 05:18, krad wrote: > On 16 April 2010 09:39, David Xu wrote: > >> Jeremy Lea wrote: >> >>> Hi, >>> >>> This is off topic to this list, but I dont want to subscribe to -chat >>> just to post there... Someone is currently running a distributed SSH >>> attack against one of my boxes - one attempted login for root every >>> minute or so for the last 48 hours. They wont get anywhere, since the >>> box in question has no root password, and doesn't allow root logins via >>> SSH anyway... >>> >>> But I was wondering if there were any security researchers out there >>> that might be interested in the +-800 IPs I've collected from the >>> botnet? The resolvable hostnames mostly appear to be in Eastern Europe >>> and South America - I haven't spotted any that might be 'findable' to >>> get the botnet software. >>> >>> I could switch out the machine for a honeypot in a VM or a jail, by >>> moving the host to a new IP, and if you can think of a way of allowing >>> the next login to succeed with any password, then you could try to see >>> what they delivered... But I don't have a lot of time to help. >>> >>> Regards, >>> -Jeremy >>> >>> >> Try to change SSH port to something other than default port 22, >> I always did this for my machines, e.g, change them to 13579 :-) >> >> Regards, >> David Xu >> _______________________________________________ >> freebsd-hackers@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >> > > dont allow password auth, tcp wrap it, and acl it with pf. Probably more > stuff you can do. Think onions Not allowing password auth also means turning off PAM authentication for logins with openssh and has the resulting effect utmp not being updated among other things. Be sure you want to go this route. tcpwrap it ? that is unneeded. The moment you start configuring hosts.allow your system is going to be sending requests for ident. Its a bad idea with all the other options that are available. pf (GREAT IDEA!) I use the following for example on a home box to limit the exposure to attacks. shports="ssh" table file "/etc/pf/tables/blacklist" ... some other rules ... block log quick from label "Blacklisted" .... some more rules ... pass in log quick proto { tcp } from any port >1024 to any port \ { $shports } label "SSH/Login:$dstport" keep state (max-src-conn \ 5, max-src-conn-rate 15/30 overload flush global) pass out all label "Implicit" Soon as a offender violates this they end up in the blacklist which I run on every 3 hours to save to the file listed in the table store above: http://tinyurl.com/29y4zdh Good luck. -- jhell