From owner-freebsd-hackers@FreeBSD.ORG Sat Apr 24 22:07:25 2010 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1B81106564A; Sat, 24 Apr 2010 22:07:25 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.158]) by mx1.freebsd.org (Postfix) with ESMTP id 6E5428FC12; Sat, 24 Apr 2010 22:07:24 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id 22so851669fge.13 for ; Sat, 24 Apr 2010 15:07:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=TfF8KYgIBV7wWZKxdz78tfp193w9beZTpkVF/fwTZwg=; b=SiWIjyExkPw45hwyg0Xc4jU31NpLhYhJPPpiaEwB6w7enstSMiMAOWZWiANJevuavl P2ksYheyFkbSbd6NOcDChnnxOq98HNx7JrEapduNyG5bB0XeuQ/ruf/LH1bLKgKBdhND wNCj4uhLVMPCFw48W27V99xp3yeuHjB9Zop+c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=rU3Smtlq07Oe9R7ZpHZLe4Vm2gdy3+vcuDGz7pjY/VVB2iEA+XMZd/IU6tWaMN9cxO toF8JbTEkyTM6/G0d1DGxP6mi9G14dSdFaqaHdaZXXgoEkQjpeiFRTbW2xP3H544KCI2 fNCd0cZ/TIFcYzTiMiXYhEfijV83ARfI9MyfQ= MIME-Version: 1.0 Received: by 10.239.131.211 with SMTP id 19mr171269hbo.63.1272146842921; Sat, 24 Apr 2010 15:07:22 -0700 (PDT) Received: by 10.239.165.129 with HTTP; Sat, 24 Apr 2010 15:07:22 -0700 (PDT) In-Reply-To: <4BD2F642.2050502@dataix.net> References: <20091002201039.GA53034@flint.openpave.org> <4BC82259.90203@freebsd.org> <4BD2F642.2050502@dataix.net> Date: Sat, 24 Apr 2010 23:07:22 +0100 Message-ID: From: krad To: jhell X-Mailman-Approved-At: Sat, 24 Apr 2010 23:05:11 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Jeremy Lea , freebsd-hackers@freebsd.org, David Xu Subject: Re: Distributed SSH attack X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Apr 2010 22:07:25 -0000 On 24 April 2010 14:46, jhell wrote: > On 04/16/2010 05:18, krad wrote: > > On 16 April 2010 09:39, David Xu wrote: > > > >> Jeremy Lea wrote: > >> > >>> Hi, > >>> > >>> This is off topic to this list, but I dont want to subscribe to -chat > >>> just to post there... Someone is currently running a distributed SSH > >>> attack against one of my boxes - one attempted login for root every > >>> minute or so for the last 48 hours. They wont get anywhere, since the > >>> box in question has no root password, and doesn't allow root logins via > >>> SSH anyway... > >>> > >>> But I was wondering if there were any security researchers out there > >>> that might be interested in the +-800 IPs I've collected from the > >>> botnet? The resolvable hostnames mostly appear to be in Eastern Europe > >>> and South America - I haven't spotted any that might be 'findable' to > >>> get the botnet software. > >>> > >>> I could switch out the machine for a honeypot in a VM or a jail, by > >>> moving the host to a new IP, and if you can think of a way of allowing > >>> the next login to succeed with any password, then you could try to see > >>> what they delivered... But I don't have a lot of time to help. > >>> > >>> Regards, > >>> -Jeremy > >>> > >>> > >> Try to change SSH port to something other than default port 22, > >> I always did this for my machines, e.g, change them to 13579 :-) > >> > >> Regards, > >> David Xu > >> _______________________________________________ > >> freebsd-hackers@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > >> To unsubscribe, send any mail to " > freebsd-hackers-unsubscribe@freebsd.org" > >> > > > > dont allow password auth, tcp wrap it, and acl it with pf. Probably more > > stuff you can do. Think onions > > Not allowing password auth also means turning off PAM authentication for > logins with openssh and has the resulting effect utmp not being updated > among other things. Be sure you want to go this route. > > tcpwrap it ? that is unneeded. The moment you start configuring > hosts.allow your system is going to be sending requests for ident. Its a > bad idea with all the other options that are available. > Not by default it doesnt. Even then ident wont happen to random hosts only ones you trust as you will be protected via pf/ipfw/iptables, its just their as a safety net. I did mention onions I thought.