Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 18 Sep 2004 18:04:45 -0400
From:      "David D.W. Downey" <david.downey@gmail.com>
To:        Willem Jan Withagen <wjw@withagen.nl>
Cc:        "freebsd-security@FreeBSD.ORG" <freebsd-security@freebsd.org>
Subject:   Re: Attacks on ssh port
Message-ID:  <6917b781040918150446b7dada@mail.gmail.com>
In-Reply-To: <414CAC56.8020601@withagen.nl>
References:  <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> <414CAC56.8020601@withagen.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
> >On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen <wjw@withagen.nl> wrote:
> It is not about all this. I know these, and I use them if appropriate.
> (Come to think of it, I was one of the first externals to test Wietse
> Venema's TCP-wrapper.)
> 
> Once I have identified the nature and quality of  this type of problem,
> I want to deal with it in such a way that it is no longer a bother. And
> in this particular case these records are clogging my login error
> records. And because of that I just might miss out on the one or two
> that do matter. You might want to call it noise-reduction, and I'm
> looking for a as large as possible Signal/Noise ratio.
> So that is why I would like to be able to throw root/ssh login attempts
> directly in the garbage and kill the host where these are coming from
> with a records in my firewall.
> 

OK, was a simple suggestion. (no derogatory tone meant).  I will say
this much. adding each individual host that scans your machine
instantly to your firewall WILL end up killing your machine due to
lookups if this is in place during any large scan or direct port
attacks.

I do think you're being overly concerned about your log entries since
this is *exactly* what the system is *supposed* to do, log the entries
for further use by the admin if needed. There is no signal to noise
reduction gained, since what you consider noise is what the system is
*designed* to do. If you want to reduce the number of entries then
reduce the # of entries it logs (aka when you enable the verbose_limit
count it won't log any more than that number of attempts from a host.
So set it to 2 or even 1 (i would suggest 2 so you only get what
should be considered a bona fide failure) )

If you want to enable firewalling based on that information then
you're going to have to write a custom script to cull the information
from the logfiles or enable some ports NIDs, or 3rd party NIDS to do
this for you. (Such as maybe portsentry and hostsentry for a basic
choice option set)

Hopefully this helps.

-- 
David D.W. Downey



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6917b781040918150446b7dada>