From owner-freebsd-questions@FreeBSD.ORG  Mon Feb  6 20:23:54 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9819416A420
	for <freebsd-questions@freebsd.org>;
	Mon,  6 Feb 2006 20:23:54 +0000 (GMT)
	(envelope-from vaaf@broadpark.no)
Received: from osl1smout1.broadpark.no (osl1smout1.broadpark.no [80.202.4.58])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9FACC43D48
	for <freebsd-questions@freebsd.org>;
	Mon,  6 Feb 2006 20:23:40 +0000 (GMT)
	(envelope-from vaaf@broadpark.no)
Received: from osl1sminn1.broadpark.no ([80.202.4.59])
	by osl1smout1.broadpark.no
	(Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004))
	with ESMTP id <0IUA003J18WSVK40@osl1smout1.broadpark.no> for
	freebsd-questions@freebsd.org; Mon, 06 Feb 2006 21:29:16 +0100 (CET)
Received: from urban.broadpark.no ([213.187.181.70]) by osl1sminn1.broadpark.no
	(Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004))
	with ESMTP id <0IUA00KIM8RHVCF0@osl1sminn1.broadpark.no> for
	freebsd-questions@freebsd.org; Mon, 06 Feb 2006 21:26:06 +0100 (CET)
Date: Mon, 06 Feb 2006 21:23:40 +0100
From: Kristian Vaaf <vaaf@broadpark.no>
In-reply-to: <43E7816B.7040300@daleco.biz>
To: Kevin Kinsey <kdk@daleco.biz>, Brad Gilmer <bgilmer@gilmer.org>
Message-id: <7.0.1.0.2.20060206212319.02116948@broadpark.no>
MIME-version: 1.0
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
Content-type: text/plain; charset=us-ascii; format=flowed
Content-transfer-encoding: 7BIT
References: <20060206162304.GA83056@gilmer.org> <43E7816B.7040300@daleco.biz>
Cc: freebsd-questions@freebsd.org
Subject: Re: sshd possible breakin attempt messages
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2006 20:23:54 -0000

At 18:03 06.02.2006, Kevin Kinsey wrote:
>Brad Gilmer wrote:
>
>>Hello all,
>>
>>I guess one of the banes of our existance as Sys Admins is that 
>>people are always pounding away at our systems trying to break 
>>in.  Lately, I have been getting hit with several hundred of the 
>>messages below per dayin my security report output...
>>
>>gilmer.org login failures:
>>Feb  5 11:18:17 gilmer sshd[78078]: reverse mapping checking 
>>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE 
>>BREAKIN ATTEMPT!
>>Feb  5 11:18:18 gilmer sshd[78080]: reverse mapping checking 
>>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE 
>>BREAKIN ATTEMPT!
>>Feb  5 11:18:20 gilmer sshd[78082]: reverse mapping checking 
>>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE 
>>BREAKIN ATTEMPT!
>>
>>I am running FreeBSD 5.4 RELEASE, and right now this box is not a 
>>production machine, but I am going to be taking it live fairly 
>>soon.  Questions:
>>
>>1)  Is there anything I should be doing to thwart this particular attack?
>>
>
>IANAE on security, but there are several possibilities.  Here are a couple
>ideas from my deadbeat security brain:
>
>     1.  edit /etc/ssh/sshd_config and make sure that only the right users
>          and such are allowed to login, and via the right methods.
>
>     2.  If the situation allows, you can wrap sshd via /etc/hosts.allow to
>          only allow logins from certain IP addresses (i.e., wherever you
>          intend to admin this box from).
>
>Note that, as I mentioned, IANAE, and there is plenty of other "higher
>level" security actions that can be taken to secure a box from attack.
>Maybe some less-newbie-than-me guru will step up to the plate on that;
>maybe not.
>
>>2)  Given that I am on 5.4, should I upgrade my sshd or do anything 
>>else at this point to make sure my machine is as secure as possible?
>>
>
>Check the advisories at the freebsd.org web site, and keep tracking
>RELENG_5_4 with cvsup/buildworld, etc. to stay up to date is a good
>starting point.
>
>>3)  (Meta-question) - Should I upgrade to 6.0 before I go live to 
>>be sure I am in the best possible security situation going forward?
>>Should I wait until 6.1 for bug fixes (generally I am opposed to 
>>n.0 anything).
>>
>>
>
>Meta-answer, if possible from an idiot like me:  6.0 is actually a very
>notable exception to the "don't grab the zero release" rule in my case.
>YMMV, of course.  Last week I upgraded my last 5.X boxen to 6.X, and
>I don't plan on looking back!  Now, if I could just find time to
>backup/reinstall that 4.X boxen that's locked up so far away!!!
>
>>Thanks
>>Brad
>>
>
>You're welcome.
>
>Kevin Kinsey

Sorry, but what is IANAE and YMMV?

Thank you!

Vaaf