From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 14:38:21 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8607816A41F for ; Mon, 3 Oct 2005 14:38:21 +0000 (GMT) (envelope-from dgilbert@daveg.ca) Received: from ox.eicat.ca (ox.eicat.ca [66.96.30.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AB1643D4C for ; Mon, 3 Oct 2005 14:38:21 +0000 (GMT) (envelope-from dgilbert@daveg.ca) Received: by ox.eicat.ca (Postfix, from userid 66) id 2BF55EE9A; Mon, 3 Oct 2005 10:38:17 -0400 (EDT) Received: by canoe.dclg.ca (Postfix, from userid 101) id 6ECC81A08D0; Mon, 3 Oct 2005 10:38:13 -0400 (EDT) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17217.16981.318702.635329@canoe.dclg.ca> Date: Mon, 3 Oct 2005 10:38:13 -0400 To: Brett Glass In-Reply-To: <6.2.3.4.2.20051002153930.07a50528@localhost> References: <6.2.3.4.2.20051002153930.07a50528@localhost> X-Mailer: VM 7.17 under 21.4 (patch 17) "Jumbo Shrimp" XEmacs Lucid X-Mailman-Approved-At: Tue, 04 Oct 2005 11:41:58 +0000 Cc: freebsd-security@freebsd.org Subject: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 14:38:21 -0000 >>>>> "Brett" == Brett Glass writes: Brett> Everyone: We're starting to see a rash of password guessing Brett> attacks via SSH on all of our exposed BSD servers which are Brett> running an SSH daemon. They're coming from multiple addresses, Brett> which makes us suspect that they're being carried out by a Brett> network of "bots" rather than a single attacker. [...] Brett> SSH is enabled by default in most BSD-ish operating systems, Brett> and this makes us a bigger target for these bots than users of Brett> OSes that don't come with SSH (not that they're not more Brett> vulnerable in other ways!). Therefore, it's strongly Brett> recommended that, where practical, everyone limit SSH logins to Brett> the minimum possible number of users via the "AllowUsers" Brett> directive. We also have a log monitor that watches the logs Brett> (/var/log/auth.log in particular) and blackholes hosts that Brett> seem to be trying to break in via SSH. I have another angle. I run the following script on many of my machines: #!/bin/bash # Copyright (c) 2005 DaveG.ca # You may use this code under the GPL, version 2 or newer. # firewall excessive ssh attempts PATH=/bin:/sbin:/usr/bin:/usr/sbin cat /var/log/auth.log | grep "Illegal user" | rev | cut -d\ -f 1 | rev | sort | uniq -c | \ ( while read num ip; do if [ $num -gt 9 ]; then if ! ipfw show | grep -q $ip ; then echo adding $ip for $num violations logger -p auth.warn blocking $ip for $num violations ipfw table 1 add $ip fi fi done ) Now... the line 'ipfw ...' can be replace with other firewall statements or it can be a route add -blackhole. The trick here is that it is unusual for legal users to make many tries at an ssh with a completely wrong username. Dave. -- ============================================================================ |David Gilbert, Independent Contractor. | Two things can only be | |Mail: dave@daveg.ca | equal if and only if they | |http://daveg.ca | are precisely opposite. | =========================================================GLO================