Date: Mon, 06 Feb 2006 21:23:40 +0100 From: Kristian Vaaf <vaaf@broadpark.no> To: Kevin Kinsey <kdk@daleco.biz>, Brad Gilmer <bgilmer@gilmer.org> Cc: freebsd-questions@freebsd.org Subject: Re: sshd possible breakin attempt messages Message-ID: <7.0.1.0.2.20060206212319.02116948@broadpark.no> In-Reply-To: <43E7816B.7040300@daleco.biz> References: <20060206162304.GA83056@gilmer.org> <43E7816B.7040300@daleco.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
At 18:03 06.02.2006, Kevin Kinsey wrote: >Brad Gilmer wrote: > >>Hello all, >> >>I guess one of the banes of our existance as Sys Admins is that >>people are always pounding away at our systems trying to break >>in. Lately, I have been getting hit with several hundred of the >>messages below per dayin my security report output... >> >>gilmer.org login failures: >>Feb 5 11:18:17 gilmer sshd[78078]: reverse mapping checking >>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE >>BREAKIN ATTEMPT! >>Feb 5 11:18:18 gilmer sshd[78080]: reverse mapping checking >>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE >>BREAKIN ATTEMPT! >>Feb 5 11:18:20 gilmer sshd[78082]: reverse mapping checking >>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE >>BREAKIN ATTEMPT! >> >>I am running FreeBSD 5.4 RELEASE, and right now this box is not a >>production machine, but I am going to be taking it live fairly >>soon. Questions: >> >>1) Is there anything I should be doing to thwart this particular attack? >> > >IANAE on security, but there are several possibilities. Here are a couple >ideas from my deadbeat security brain: > > 1. edit /etc/ssh/sshd_config and make sure that only the right users > and such are allowed to login, and via the right methods. > > 2. If the situation allows, you can wrap sshd via /etc/hosts.allow to > only allow logins from certain IP addresses (i.e., wherever you > intend to admin this box from). > >Note that, as I mentioned, IANAE, and there is plenty of other "higher >level" security actions that can be taken to secure a box from attack. >Maybe some less-newbie-than-me guru will step up to the plate on that; >maybe not. > >>2) Given that I am on 5.4, should I upgrade my sshd or do anything >>else at this point to make sure my machine is as secure as possible? >> > >Check the advisories at the freebsd.org web site, and keep tracking >RELENG_5_4 with cvsup/buildworld, etc. to stay up to date is a good >starting point. > >>3) (Meta-question) - Should I upgrade to 6.0 before I go live to >>be sure I am in the best possible security situation going forward? >>Should I wait until 6.1 for bug fixes (generally I am opposed to >>n.0 anything). >> >> > >Meta-answer, if possible from an idiot like me: 6.0 is actually a very >notable exception to the "don't grab the zero release" rule in my case. >YMMV, of course. Last week I upgraded my last 5.X boxen to 6.X, and >I don't plan on looking back! Now, if I could just find time to >backup/reinstall that 4.X boxen that's locked up so far away!!! > >>Thanks >>Brad >> > >You're welcome. > >Kevin Kinsey Sorry, but what is IANAE and YMMV? Thank you! Vaaf
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7.0.1.0.2.20060206212319.02116948>