From owner-freebsd-questions@FreeBSD.ORG  Wed Sep  8 02:59:42 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5AFF816A4CE
	for <freebsd-questions@FreeBSD.ORG>;
	Wed,  8 Sep 2004 02:59:42 +0000 (GMT)
Received: from chen.org.nz (chen.org.nz [210.54.19.51])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1310143D1F
	for <freebsd-questions@FreeBSD.ORG>;
	Wed,  8 Sep 2004 02:59:42 +0000 (GMT)
	(envelope-from jonc@chen.org.nz)
Received: by chen.org.nz (Postfix, from userid 1000)
	id 41C8D13630; Wed,  8 Sep 2004 14:59:40 +1200 (NZST)
Date: Wed, 8 Sep 2004 14:59:40 +1200
From: Jonathan Chen <jonc@chen.org.nz>
To: Mike Galvez <hoosyerdaddy@virginia.edu>
Message-ID: <20040908025940.GA12835@grimoire.chen.org.nz>
References: <20040907134216.GB14884@humpty.finadmin.virginia.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040907134216.GB14884@humpty.finadmin.virginia.edu>
User-Agent: Mutt/1.4.2.1i
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Tar pitting automated attacks
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2004 02:59:42 -0000

On Tue, Sep 07, 2004 at 09:42:16AM -0400, Mike Galvez wrote:
> I am seeing a lot of automated attacks lately against sshd such as:
> 
[...]
> Sep  6 12:16:39 www sshd[29901]: Failed password for illegal user server from 159.134.244.189 port 4044 ssh2
> Sep  6 12:16:41 www sshd[29902]: Failed password for illegal user adam from 159.134.244.189 port 4072 ssh2
> Sep  6 12:16:42 www sshd[29903]: Failed password for illegal user alan from 159.134.244.189 port 4104 ssh2
> Sep  6 12:16:43 www sshd[29904]: Failed password for illegal user frank from 159.134.244.189 port 4131 ssh2
> Sep  6 12:16:44 www sshd[29905]: Failed password for illegal user george from 159.134.244.189 port 4152 ssh2
> Sep  6 12:16:45 www sshd[29906]: Failed password for illegal user henry from 159.134.244.189 port 4175 ssh2
> -- snip --
> Some of these go on until they turn the logs over.
> 
> Is there a method to make this more expensive to the attacker, such as tar-pitting?

Put in a ipfw block on the netblock/country. At the very least it will
make it pretty slow for the initial TCP handshake.

Cheers.
-- 
Jonathan Chen <jonc@chen.org.nz>
----------------------------------------------------------------------
                                                 Vini, vidi, velcro...
                                         I came, I saw, I stuck around