From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 16:28:12 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5E6816A4CE for ; Wed, 6 Apr 2005 16:28:12 +0000 (GMT) Received: from cenn.mc.mpls.visi.com (cenn.mc.mpls.visi.com [208.42.156.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B5FD43D1D for ; Wed, 6 Apr 2005 16:28:12 +0000 (GMT) (envelope-from drue@therub.org) Received: from egypt.therub.org (therub.org [209.98.146.43]) by cenn.mc.mpls.visi.com (Postfix) with ESMTP id DF5E48276; Wed, 6 Apr 2005 11:28:11 -0500 (CDT) Received: by egypt.therub.org (Postfix, from userid 1001) id 747EF4566E8; Wed, 6 Apr 2005 11:28:11 -0500 (CDT) Date: Wed, 6 Apr 2005 11:28:11 -0500 From: Dan Rue To: Martin McCormick Message-ID: <20050406162811.GQ1019@therub.org> References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> User-Agent: Mutt/1.4.2.1i cc: freebsd-security@freebsd.org Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 16:28:12 -0000 On Wed, Apr 06, 2005 at 10:49:08AM -0500, Martin McCormick wrote: > We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example: > > Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user > bruce from 67.19.58.170 port 32983 ssh2 In my experience, these are just script kiddies goofing around. The only useful thing to do is to report them to abuse@ their ISP - this can actually be effective in some cases. $ whois 67.19.58.170 OrgName: ThePlanet.com Internet Services, Inc. OrgID: TPCM Address: 1333 North Stemmons Freeway Address: Suite 110 City: Dallas StateProv: TX PostalCode: 75207 Country: US ... OrgAbuseHandle: ABUSE271-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-214-782-7802 OrgAbuseEmail: abuse@theplanet.com I'm sure his ISP would like to know about his behavior - send them a report of his attempts. Often in my opinion it's some 13 year old who doesn't realize he's not anonymous on the internet. It quickly becomes a tedious and thankless job, but it's the best weapon you have imo. Also, I find on some systems it's nice to do whitelisting with hosts.allow to only allow connectinos from certain addresses. Obviously that is not a solution for every system, but it can work well for some. Dan