Date: Sat, 24 Apr 2010 23:07:22 +0100 From: krad <kraduk@googlemail.com> To: jhell <jhell@dataix.net> Cc: Jeremy Lea <reg@freebsd.org>, freebsd-hackers@freebsd.org, David Xu <davidxu@freebsd.org> Subject: Re: Distributed SSH attack Message-ID: <r2zd36406631004241507p53393c90ma844813b5b9d2aad@mail.gmail.com> In-Reply-To: <4BD2F642.2050502@dataix.net> References: <20091002201039.GA53034@flint.openpave.org> <4BC82259.90203@freebsd.org> <y2nd36406631004160218g6cfa65eq4958d957f7fc33a7@mail.gmail.com> <4BD2F642.2050502@dataix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24 April 2010 14:46, jhell <jhell@dataix.net> wrote: > On 04/16/2010 05:18, krad wrote: > > On 16 April 2010 09:39, David Xu <davidxu@freebsd.org> wrote: > > > >> Jeremy Lea wrote: > >> > >>> Hi, > >>> > >>> This is off topic to this list, but I dont want to subscribe to -chat > >>> just to post there... Someone is currently running a distributed SSH > >>> attack against one of my boxes - one attempted login for root every > >>> minute or so for the last 48 hours. They wont get anywhere, since the > >>> box in question has no root password, and doesn't allow root logins via > >>> SSH anyway... > >>> > >>> But I was wondering if there were any security researchers out there > >>> that might be interested in the +-800 IPs I've collected from the > >>> botnet? The resolvable hostnames mostly appear to be in Eastern Europe > >>> and South America - I haven't spotted any that might be 'findable' to > >>> get the botnet software. > >>> > >>> I could switch out the machine for a honeypot in a VM or a jail, by > >>> moving the host to a new IP, and if you can think of a way of allowing > >>> the next login to succeed with any password, then you could try to see > >>> what they delivered... But I don't have a lot of time to help. > >>> > >>> Regards, > >>> -Jeremy > >>> > >>> > >> Try to change SSH port to something other than default port 22, > >> I always did this for my machines, e.g, change them to 13579 :-) > >> > >> Regards, > >> David Xu > >> _______________________________________________ > >> freebsd-hackers@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > >> To unsubscribe, send any mail to " > freebsd-hackers-unsubscribe@freebsd.org" > >> > > > > dont allow password auth, tcp wrap it, and acl it with pf. Probably more > > stuff you can do. Think onions > > Not allowing password auth also means turning off PAM authentication for > logins with openssh and has the resulting effect utmp not being updated > among other things. Be sure you want to go this route. > > tcpwrap it ? that is unneeded. The moment you start configuring > hosts.allow your system is going to be sending requests for ident. Its a > bad idea with all the other options that are available. > Not by default it doesnt. Even then ident wont happen to random hosts only ones you trust as you will be protected via pf/ipfw/iptables, its just their as a safety net. I did mention onions I thought.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?r2zd36406631004241507p53393c90ma844813b5b9d2aad>