From owner-freebsd-security@FreeBSD.ORG  Fri Nov 18 07:20:59 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C113216A41F
	for <freebsd-security@freebsd.org>;
	Fri, 18 Nov 2005 07:20:59 +0000 (GMT)
	(envelope-from ray@redshift.com)
Received: from outgoing.redshift.com (outgoing.redshift.com [207.177.231.8])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9436643D49
	for <freebsd-security@freebsd.org>;
	Fri, 18 Nov 2005 07:20:59 +0000 (GMT)
	(envelope-from ray@redshift.com)
Received: from workstation (216-228-19-21.dsl.redshift.com [216.228.19.21])
	by outgoing.redshift.com (Postfix) with SMTP id E55F197913;
	Thu, 17 Nov 2005 23:20:58 -0800 (PST)
Message-Id: <3.0.1.32.20051117232057.00a96750@pop.redshift.com>
X-Mailer: na
X-Sender: redshift.com
Date: Thu, 17 Nov 2005 23:20:57 -0800
To: Timothy Smith <timothy@open-networks.net>
From: ray@redshift.com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: freebsd-security@freebsd.org
Subject: Re: Need urgent help regarding security
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Nov 2005 07:20:59 -0000

At 02:42 PM 11/18/2005 +1000, Timothy Smith wrote:
| i have seen a similar attack recently doing a brute force ssh. the 
| number ONE weakness in most poorly run IT systems, is easy passwords. 
| it's amazingly easy to brute force these systems using common names or 
| variations of them.

Speaking of SSH, if you have to provide SSH service via a public IP# (and you
are unable to limit traffic to just specific management/workstation IP#'s), then
it's always a good idea to confirm that root login is not enabled in
/etc/ssh/sshd_config.  This make a brute force attack much more difficult, since
a would-be attacker not only has to hit the correct password, but they also have
to know a valid username on the system (as opposed to just using 'root') during
an attack.

Also, if you have access to the router, it's handy to re-write traffic from a
higher public port down to port 22 on the server, since that will trip up anyone
doing scans looking for a connect on port 22 across a large number of IP's.

Anyway, just a couple of ideas I thought might be helpful while on the subject
of SSH hardening :-)

Ray