From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 21:49:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A91216A4CE for ; Fri, 24 Sep 2004 21:49:20 +0000 (GMT) Received: from smtp15.wxs.nl (smtp15.wxs.nl [195.121.6.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B6D743D2F for ; Fri, 24 Sep 2004 21:49:19 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp15.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0I4K006RAFA3L3@smtp15.wxs.nl> for freebsd-security@freebsd.org; Fri, 24 Sep 2004 23:49:18 +0200 (CEST) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i8OLnA1F040296; Fri, 24 Sep 2004 23:49:10 +0200 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i8OLn9Et040295; Fri, 24 Sep 2004 23:49:09 +0200 Content-return: prohibited Date: Fri, 24 Sep 2004 23:49:09 +0200 From: Alex de Kruijff In-reply-to: <6917b781040918103077c76f0c@mail.gmail.com> To: "David D.W. Downey" Message-id: <20040924214909.GA784@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 21:49:20 -0000 On Sat, Sep 18, 2004 at 01:30:22PM -0400, David D.W. Downey wrote: > On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen wrote: > > Hi, > > > > Is there a security problem with ssh that I've missed??? > > Ik keep getting these hords of: > > Failed password for root from 69.242.5.195 port 39239 ssh2 > > with all kinds of different source addresses. > > > > They have a shot or 15 and then they are of again, but a little later on > > they're back and keep clogging my logs. > > Is there a "easy" way of getting these ip-numbers added to the > > blocking-list of ipfw?? > > > > Thanx, > > --WjW > > well you want to see those. So long as you have > > PermitRootLogin no > > in your /etc/ssh/sshd_config, they won't be able to get in since ssh > is then denied for root (except via a valid ssh key which you can > further lock down by adding No ssh key's are also denied. To enable this you have to set PermitRootLogin to 'without-password' or 'forced-commands-only' (or yes). > from="ip.addr, forward.dns.record.of.host" > > to the beginning of your ssh-dsa or ssh-rsa key line in ~/.ssh/authorized_keys) > > A better solution to the verbosity level would probably be to change > your kernel config to have something like > > options IPFIREWALL_VERBOSE_LIMIT=3 > > or using the sysctl.conf oid > > net.inet.ip.fw.verbose_limit=3 > > Then you can still see the attempts (and thus log the IP information > for contacting the abuse@ for the responsible IP controller) while > limiting your log sizes. This only logs the first tree catches (when the log attribuut is set) per rule. You may want to set this a little higher like 100. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/