From owner-freebsd-security@FreeBSD.ORG  Sat Sep 18 17:30:27 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EE35516A4CE
	for <freebsd-security@freebsd.org>;
	Sat, 18 Sep 2004 17:30:27 +0000 (GMT)
Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.201])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A224043D5D
	for <freebsd-security@freebsd.org>;
	Sat, 18 Sep 2004 17:30:27 +0000 (GMT)
	(envelope-from david.downey@gmail.com)
Received: by mproxy.gmail.com with SMTP id 79so493975rnk
	for <freebsd-security@freebsd.org>;
	Sat, 18 Sep 2004 10:30:23 -0700 (PDT)
Received: by 10.38.15.66 with SMTP id 66mr355106rno;
        Sat, 18 Sep 2004 10:30:22 -0700 (PDT)
Received: by 10.38.82.69 with HTTP; Sat, 18 Sep 2004 10:30:22 -0700 (PDT)
Message-ID: <6917b781040918103077c76f0c@mail.gmail.com>
Date: Sat, 18 Sep 2004 13:30:22 -0400
From: "David D.W. Downey" <david.downey@gmail.com>
To: Willem Jan Withagen <wjw@withagen.nl>
In-Reply-To: <414C2798.7060509@withagen.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
References: <414C2798.7060509@withagen.nl>
cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@freebsd.org>
Subject: Re: Attacks on ssh port
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: "David D.W. Downey" <david.downey@gmail.com>
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Sep 2004 17:30:28 -0000

On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen <wjw@withagen.nl> wrote:
> Hi,
> 
> Is there a security problem with ssh that I've missed???
> Ik keep getting these hords of:
>     Failed password for root from 69.242.5.195 port 39239 ssh2
> with all kinds of different source addresses.
> 
> They have a shot or 15 and then they are of again, but a little later on
> they're back and keep clogging my logs.
> Is there a "easy" way of getting these ip-numbers added to the
> blocking-list of ipfw??
> 
> Thanx,
> --WjW

well you want to see those. So long as you have

PermitRootLogin no

in your /etc/ssh/sshd_config, they won't be able to get in since ssh
is then denied for root (except via a valid ssh key which you can
further lock down by adding

from="ip.addr, forward.dns.record.of.host" 

to the beginning of your ssh-dsa or ssh-rsa key line in ~/.ssh/authorized_keys)

A better solution to the verbosity level would probably be to change
your kernel config to have something like

options  IPFIREWALL_VERBOSE_LIMIT=3

or using the sysctl.conf oid

net.inet.ip.fw.verbose_limit=3

Then you can still see the attempts (and thus log the IP information
for contacting the abuse@ for the responsible IP controller) while
limiting your log sizes.

-- 
David D.W. Downey