Date: Sun, 19 Sep 2004 00:25:51 +0200 From: Willem Jan Withagen <wjw@withagen.nl> To: "David D.W. Downey" <david.downey@gmail.com> Cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@freebsd.org> Subject: Re: Attacks on ssh port Message-ID: <414CB5EF.7080901@withagen.nl> In-Reply-To: <6917b781040918150446b7dada@mail.gmail.com> References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> <414CAC56.8020601@withagen.nl> <6917b781040918150446b7dada@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
David D.W. Downey wrote: >> <>OK, was a simple suggestion. (no derogatory tone meant). > I'm sorry. No intentions to put you down. The suggestions you made are very valid. And a lot of them were already in place. Please attribute it to being none native English >> <>I will say >> this much. adding each individual host that scans your machine >> instantly to your firewall WILL end up killing your machine due to >> lookups if this is in place during any large scan or direct port >> attacks. > I also have portsentry in a rather sensitive mode doing exactly the same thing. Trigger one of the "backdoor" ports, and you're out of my game. >> <>I do think you're being overly concerned about your log entries since >> this is *exactly* what the system is *supposed* to do, log the entries >> for further use by the admin if needed. There is no signal to noise >> reduction gained, since what you consider noise is what the system is >> *designed* to do. If you want to reduce the number of entries then >> reduce the # of entries it logs (aka when you enable the verbose_limit >> count it won't log any more than that number of attempts from a host. >> So set it to 2 or even 1 (i would suggest 2 so you only get what >> should be considered a bona fide failure) ) > True, and perhaps even more true. BUT since I've now concluded that there are script-kiddies trying ssh-breakins at nausium. This logging gets a totally different meaning. I don't need to see these specific warnings myself anymore, it is a full indication of a host that is no longer under his masters control. So instead of writing to see if the attacks get any smarter, just deny full access. Blunt but effective. Note that this is on a server of one of my customers. And having seen the havoc of previously hacked systems of the ISP where I worked, I prefer to be a little more safe. The only reason that this would kill my machine, is when the list of IP-numbers gets so large that it keeps the system from doing anything else any more. But it has not come this far yet, Moore's law outpaces this problem by far. >> <>If you want to enable firewalling based on that information then >> you're going to have to write a custom script to cull the information >> from the logfiles or enable some ports NIDs, or 3rd party NIDS to do >> this for you. (Such as maybe portsentry and hostsentry for a basic >> choice option set) > I used to run one of such tools, but found those just a little bit too inaccurate to actually trust it for this job. Remeber that you do not have the time to turn over the logfile at midnight, and then start blocking ip-nummbers. It has to be done at first sight of a possible attempt to break into the system. But perhaps I'll start runing that again. --WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414CB5EF.7080901>