From owner-freebsd-security@FreeBSD.ORG Fri Aug 22 08:04:17 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4929106564A; Fri, 22 Aug 2008 08:04:17 +0000 (UTC) (envelope-from derek@computinginnovations.com) Received: from betty.computinginnovations.com (mail.computinginnovations.com [64.81.227.250]) by mx1.freebsd.org (Postfix) with ESMTP id 5C3FB8FC14; Fri, 22 Aug 2008 08:04:17 +0000 (UTC) (envelope-from derek@computinginnovations.com) Received: from p28.computinginnovations.com (dhcp-10-20-30-100.computinginnovations.com [10.20.30.100]) (authenticated bits=0) by betty.computinginnovations.com (8.14.2/8.14.2) with ESMTP id m7LISTQE047849; Thu, 21 Aug 2008 13:28:30 -0500 (CDT) (envelope-from derek@computinginnovations.com) Message-Id: <6.0.0.22.2.20080821132630.026c6a48@mail.computinginnovations.com> X-Sender: derek@mail.computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Thu, 21 Aug 2008 13:28:22 -0500 To: Mikhail Teterin , freebsd-security@freebsd.org, freebsd-stable@freebsd.org From: Derek Ragona In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> References: <48ADA81E.7090106@aldan.algebra.com> Mime-Version: 1.0 X-Antivirus: avast! (VPS 080821-0, 08/21/2008), Outbound message X-Antivirus-Status: Clean X-Virus-Scanned: ClamAV 0.93.3/8068/Thu Aug 21 10:50:39 2008 on betty.computinginnovations.com X-Virus-Status: Clean X-ComputingInnovations-MailScanner-Information: Please contact the ISP for more information X-MailScanner-ID: m7LISTQE047849 X-ComputingInnovations-MailScanner: Found to be clean X-ComputingInnovations-MailScanner-From: derek@computinginnovations.com X-Spam-Status: No Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2008 08:04:17 -0000 At 12:38 PM 8/21/2008, Mikhail Teterin wrote: >Hello! > >A machine I manage remotely for a friend comes under a distributed ssh >break-in attack every once in a while. Annoyed (and alarmed) by the >messages like: > >Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 >Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 >Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 >Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 > >I wrote an awk-script, which adds a block of the attacking IP-address to >the ipfw-rules after three such "invalid user" attempts with: > > ipfw add 550 deny ip from ip > >The script is fed by syslogd directly -- through a syslog.conf rule >("|/opt/sbin/auth-log-watch"). > >Once in a while I manually flush these rules... I this a good (safe) reaction? >I'm asking, because the machine (currently running 7.0 as of July 7) hangs >solid once every few weeks... My only guess is that a spike in attacks >causes "too many" ipfw-entries created, which paralyzes the kernel due to >some bug -- the machine is running natd and is the gateway for the rest of >the network... >The hangs could, of course, be caused by something else entirely, but my >self-defense mechanism is my first suspect... > >Any comments? Thanks! > > -mi I doubt it is your script, or syslog causing the crash. It is likely a hardware problem of some type if you have this server completely patched and up-to-date for security patches. I would look at the memory, ethernet, hard disk, or power supply as the most likely candidates. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.