From owner-freebsd-hackers@FreeBSD.ORG Wed Oct 7 21:40:59 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9E8B106568D for ; Wed, 7 Oct 2009 21:40:59 +0000 (UTC) (envelope-from jandrese@mitre.org) Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by mx1.freebsd.org (Postfix) with ESMTP id A53BE8FC19 for ; Wed, 7 Oct 2009 21:40:59 +0000 (UTC) Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id n97L6N97024345 for ; Wed, 7 Oct 2009 17:06:23 -0400 Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id n97L6Nsb024342 for ; Wed, 7 Oct 2009 17:06:23 -0400 Received: from IMCMBX3.MITRE.ORG ([129.83.29.206]) by imchub2.MITRE.ORG ([129.83.29.74]) with mapi; Wed, 7 Oct 2009 17:06:23 -0400 From: "Andresen, Jason R." To: "freebsd-hackers@freebsd.org" Date: Wed, 7 Oct 2009 17:06:20 -0400 Thread-Topic: Distributed SSH attack Thread-Index: AcpEzbSMFH6a26/ORperuEkLW2evogCw8AKA Message-ID: <600C0C33850FFE49B76BDD81AED4D2580131FCB08C@IMCMBX3.MITRE.ORG> References: <20091002201039.GA53034@flint.openpave.org> <20091003081335.GA19914@marx.net.bit> <200910032357.02207.doconnor@gsoft.com.au> <4AC85E3B.4040906@delphij.net> In-Reply-To: <4AC85E3B.4040906@delphij.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: RE: Distributed SSH attack X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2009 21:41:00 -0000 >-----Original Message----- >From: owner-freebsd-hackers@freebsd.org [mailto:owner-freebsd- >hackers@freebsd.org] On Behalf Of Xin LI >Sent: Sunday, October 04, 2009 4:35 AM >To: Daniel O'Connor >Cc: jruohonen@iki.fi; freebsd-hackers@freebsd.org; krad >Subject: Re: Distributed SSH attack > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Daniel O'Connor wrote: >> On Sat, 3 Oct 2009, krad wrote: >>> simplest this to do is disable password auth, and use key based. >> >> Your logs are still full of crap though. >> >> I find sshguard works well, and I am fairly sure you couldn't spoof a >> valid TCP connection through pf sanitising so it would be difficult >> (nigh-impossible?) for someone to cause you to block a legit IP. >> >> If you can, changing the port sshd runs on is by far the simplest work >> around. Galling as it is to have to change stuff to work around >> malicious assholes.. > >Believe it or not, I find this pf.conf rule very effective to mitigate >this type of distributed SSH botnet attack: > >block in quick proto tcp from any os "Linux" to any port ssh How does that work? Does PF do some sort of os fingerprinting on the remot= e side before allowing the first SYN through? =20 Also, if you have a mix of Linux and FreeBSD boxes, presumably this would n= ot be a great idea right? It's not just getting people who are faking it? = =20 >From what I've seen on this attack, it looks like the hosts just send rando= m logins to random IP addresses constantly, so adding an IP address to a bl= ackhole list isn't as effective because you'll be getting hits from thousan= ds of IP addresses, but only a single hit. In fact it looks like this atta= ck is specifically designed to defeat the "I'll add the attacker's IP addre= ss to a black hole list" strategy, by coming in on a different address ever= y time. =20