From owner-freebsd-questions@FreeBSD.ORG Mon Feb 6 20:35:42 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04ACC16A422 for ; Mon, 6 Feb 2006 20:35:42 +0000 (GMT) (envelope-from mj001@rogers.com) Received: from smtp105.rog.mail.re2.yahoo.com (smtp105.rog.mail.re2.yahoo.com [206.190.36.83]) by mx1.FreeBSD.org (Postfix) with SMTP id 7EF2443D78 for ; Mon, 6 Feb 2006 20:35:36 +0000 (GMT) (envelope-from mj001@rogers.com) Received: (qmail 57766 invoked from network); 6 Feb 2006 20:35:35 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=rogers.com; h=Received:Subject:From:To:Cc:In-Reply-To:References:Content-Type:Date:Message-Id:Mime-Version:X-Mailer:Content-Transfer-Encoding; b=N7STZ3oyef7ykzRSaSCKgjMvYfCO3Xrf/riUb+aaNX47mEgyFLWihY96scTeMhD71hLifKFLIR7LifyWmY47qRbi/Yfww19jscjWtkBmOemK9PuF/oAexinTBQ5cSfX/MjX9INuCKu2FagTvQANNIpYnHmBWA+d2bSE5L1fGM08= ; Received: from unknown (HELO chaucer.jeays.ca) (mj001@rogers.com@72.139.51.96 with plain) by smtp105.rog.mail.re2.yahoo.com with SMTP; 6 Feb 2006 20:35:35 -0000 From: Mike Jeays To: Kristian Vaaf In-Reply-To: <7.0.1.0.2.20060206212319.02116948@broadpark.no> References: <20060206162304.GA83056@gilmer.org> <43E7816B.7040300@daleco.biz> <7.0.1.0.2.20060206212319.02116948@broadpark.no> Content-Type: text/plain Date: Mon, 06 Feb 2006 15:35:33 -0500 Message-Id: <1139258133.6730.70.camel@chaucer.jeays.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: Brad Gilmer , freebsd-questions@freebsd.org Subject: Re: sshd possible breakin attempt messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2006 20:35:42 -0000 On Mon, 2006-02-06 at 21:23 +0100, Kristian Vaaf wrote: > At 18:03 06.02.2006, Kevin Kinsey wrote: > >Brad Gilmer wrote: > > > >>Hello all, > >> > >>I guess one of the banes of our existance as Sys Admins is that > >>people are always pounding away at our systems trying to break > >>in. Lately, I have been getting hit with several hundred of the > >>messages below per dayin my security report output... > >> > >>gilmer.org login failures: > >>Feb 5 11:18:17 gilmer sshd[78078]: reverse mapping checking > >>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE > >>BREAKIN ATTEMPT! > >>Feb 5 11:18:18 gilmer sshd[78080]: reverse mapping checking > >>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE > >>BREAKIN ATTEMPT! > >>Feb 5 11:18:20 gilmer sshd[78082]: reverse mapping checking > >>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE > >>BREAKIN ATTEMPT! > >> > >>I am running FreeBSD 5.4 RELEASE, and right now this box is not a > >>production machine, but I am going to be taking it live fairly > >>soon. Questions: > >> > >>1) Is there anything I should be doing to thwart this particular attack? > >> > > > >IANAE on security, but there are several possibilities. Here are a couple > >ideas from my deadbeat security brain: > > > > 1. edit /etc/ssh/sshd_config and make sure that only the right users > > and such are allowed to login, and via the right methods. > > > > 2. If the situation allows, you can wrap sshd via /etc/hosts.allow to > > only allow logins from certain IP addresses (i.e., wherever you > > intend to admin this box from). > > > >Note that, as I mentioned, IANAE, and there is plenty of other "higher > >level" security actions that can be taken to secure a box from attack. > >Maybe some less-newbie-than-me guru will step up to the plate on that; > >maybe not. > > > >>2) Given that I am on 5.4, should I upgrade my sshd or do anything > >>else at this point to make sure my machine is as secure as possible? > >> > > > >Check the advisories at the freebsd.org web site, and keep tracking > >RELENG_5_4 with cvsup/buildworld, etc. to stay up to date is a good > >starting point. > > > >>3) (Meta-question) - Should I upgrade to 6.0 before I go live to > >>be sure I am in the best possible security situation going forward? > >>Should I wait until 6.1 for bug fixes (generally I am opposed to > >>n.0 anything). > >> > >> > > > >Meta-answer, if possible from an idiot like me: 6.0 is actually a very > >notable exception to the "don't grab the zero release" rule in my case. > >YMMV, of course. Last week I upgraded my last 5.X boxen to 6.X, and > >I don't plan on looking back! Now, if I could just find time to > >backup/reinstall that 4.X boxen that's locked up so far away!!! > > > >>Thanks > >>Brad > >> > > > >You're welcome. > > > >Kevin Kinsey > > Sorry, but what is IANAE and YMMV? > > Thank you! > > Vaaf > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Mike Jeays http://ca.geocities.com/mike.jeays@rogers.com IANAE = "I am not an expert" YMMV = "Your mileage may vary" - an over-used disclaimer in car advertisements.