Date: Thu, 21 Aug 2008 23:14:31 +0000 From: "Dan Rowe" <dan@dracosplace.com> To: "Mikhail Teterin" <mi+mill@aldan.algebra.com>, freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts Message-ID: <1078856133-1219360561-cardhu_decombobulator_blackberry.rim.net-634451014-@bxe020.bisx.prod.on.blackberry> In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> References: <48ADA81E.7090106@aldan.algebra.com>
index | next in thread | previous in thread | raw e-mail
May or may not be an option, but changing the default port that ssh runs on worked well enough for our needs. --It greatly reduced the number of automated attacks against the servers.
It might work well enough to allow your DIY script to keep up without problems.
-dan
-----Original Message-----
From: Mikhail Teterin <mi+mill@aldan.algebra.com>
Date: Thu, 21 Aug 2008 13:38:38
To: <freebsd-security@freebsd.org>; <freebsd-stable@FreeBSD.org>
Subject: machine hangs on occasion - correlated with ssh break-in attempts
Hello!
A machine I manage remotely for a friend comes under a distributed ssh
break-in attack every once in a while. Annoyed (and alarmed) by the
messages like:
Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180
I wrote an awk-script, which adds a block of the attacking IP-address to
the ipfw-rules after three such "invalid user" attempts with:
ipfw add 550 deny ip from ip
The script is fed by syslogd directly -- through a syslog.conf rule
("|/opt/sbin/auth-log-watch").
Once in a while I manually flush these rules... I this a good (safe)
reaction?
I'm asking, because the machine (currently running 7.0 as of July 7)
hangs solid once every few weeks... My only guess is that a spike in
attacks causes "too many" ipfw-entries created, which paralyzes the
kernel due to some bug -- the machine is running natd and is the gateway
for the rest of the network...
The hangs could, of course, be caused by something else entirely, but my
self-defense mechanism is my first suspect...
Any comments? Thanks!
-mi
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1078856133-1219360561-cardhu_decombobulator_blackberry.rim.net-634451014->