From owner-freebsd-hackers@FreeBSD.ORG  Wed Oct  7 21:40:59 2009
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E9E8B106568D
	for <freebsd-hackers@freebsd.org>; Wed,  7 Oct 2009 21:40:59 +0000 (UTC)
	(envelope-from jandrese@mitre.org)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191])
	by mx1.freebsd.org (Postfix) with ESMTP id A53BE8FC19
	for <freebsd-hackers@freebsd.org>; Wed,  7 Oct 2009 21:40:59 +0000 (UTC)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1])
	by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id n97L6N97024345
	for <freebsd-hackers@freebsd.org>; Wed, 7 Oct 2009 17:06:23 -0400
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74])
	by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id n97L6Nsb024342
	for <freebsd-hackers@freebsd.org>; Wed, 7 Oct 2009 17:06:23 -0400
Received: from IMCMBX3.MITRE.ORG ([129.83.29.206]) by imchub2.MITRE.ORG
	([129.83.29.74]) with mapi; Wed, 7 Oct 2009 17:06:23 -0400
From: "Andresen, Jason R." <jandrese@mitre.org>
To: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
Date: Wed, 7 Oct 2009 17:06:20 -0400
Thread-Topic: Distributed SSH attack
Thread-Index: AcpEzbSMFH6a26/ORperuEkLW2evogCw8AKA
Message-ID: <600C0C33850FFE49B76BDD81AED4D2580131FCB08C@IMCMBX3.MITRE.ORG>
References: <20091002201039.GA53034@flint.openpave.org>
	<20091003081335.GA19914@marx.net.bit>
	<d36406630910030303j2e88046epa30f2a76b9ae1507@mail.gmail.com>
	<200910032357.02207.doconnor@gsoft.com.au>
	<4AC85E3B.4040906@delphij.net>
In-Reply-To: <4AC85E3B.4040906@delphij.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: RE: Distributed SSH attack
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2009 21:41:00 -0000

>-----Original Message-----
>From: owner-freebsd-hackers@freebsd.org [mailto:owner-freebsd-
>hackers@freebsd.org] On Behalf Of Xin LI
>Sent: Sunday, October 04, 2009 4:35 AM
>To: Daniel O'Connor
>Cc: jruohonen@iki.fi; freebsd-hackers@freebsd.org; krad
>Subject: Re: Distributed SSH attack
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Daniel O'Connor wrote:
>> On Sat, 3 Oct 2009, krad wrote:
>>> simplest this to do is disable password auth, and use key based.
>>
>> Your logs are still full of crap though.
>>
>> I find sshguard works well, and I am fairly sure you couldn't spoof a
>> valid TCP connection through pf sanitising so it would be difficult
>> (nigh-impossible?) for someone to cause you to block a legit IP.
>>
>> If you can, changing the port sshd runs on is by far the simplest work
>> around. Galling as it is to have to change stuff to work around
>> malicious assholes..
>
>Believe it or not, I find this pf.conf rule very effective to mitigate
>this type of distributed SSH botnet attack:
>
>block in quick proto tcp from any os "Linux" to any port ssh

How does that work?  Does PF do some sort of os fingerprinting on the remot=
e side before allowing the first SYN through? =20

Also, if you have a mix of Linux and FreeBSD boxes, presumably this would n=
ot be a great idea right?  It's not just getting people who are faking it? =
=20

>From what I've seen on this attack, it looks like the hosts just send rando=
m logins to random IP addresses constantly, so adding an IP address to a bl=
ackhole list isn't as effective because you'll be getting hits from thousan=
ds of IP addresses, but only a single hit.  In fact it looks like this atta=
ck is specifically designed to defeat the "I'll add the attacker's IP addre=
ss to a black hole list" strategy, by coming in on a different address ever=
y time. =20