Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 19 Sep 2004 00:25:51 +0200
From:      Willem Jan Withagen <wjw@withagen.nl>
To:        "David D.W. Downey" <david.downey@gmail.com>
Cc:        "freebsd-security@FreeBSD.ORG" <freebsd-security@freebsd.org>
Subject:   Re: Attacks on ssh port
Message-ID:  <414CB5EF.7080901@withagen.nl>
In-Reply-To: <6917b781040918150446b7dada@mail.gmail.com>
References:  <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com>	 <414CAC56.8020601@withagen.nl> <6917b781040918150446b7dada@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
David D.W. Downey wrote:

>> <>OK, was a simple suggestion. (no derogatory tone meant). 
>
I'm sorry. No intentions to put you down. The suggestions you made are 
very valid.
And a lot of them were already in place. Please attribute it to being 
none native English

>> <>I will say
>> this much. adding each individual host that scans your machine
>> instantly to your firewall WILL end up killing your machine due to
>> lookups if this is in place during any large scan or direct port
>> attacks.
>
I also have portsentry in a rather sensitive mode doing exactly the same 
thing.
Trigger one of  the "backdoor" ports, and you're out of my game.

>> <>I do think you're being overly concerned about your log entries since
>> this is *exactly* what the system is *supposed* to do, log the entries
>> for further use by the admin if needed. There is no signal to noise
>> reduction gained, since what you consider noise is what the system is
>> *designed* to do. If you want to reduce the number of entries then
>> reduce the # of entries it logs (aka when you enable the verbose_limit
>> count it won't log any more than that number of attempts from a host.
>> So set it to 2 or even 1 (i would suggest 2 so you only get what
>> should be considered a bona fide failure) )
>
True, and perhaps even more true. BUT since I've now concluded that 
there are script-kiddies trying ssh-breakins at nausium. This logging 
gets a totally different meaning. I don't need to see these specific 
warnings myself anymore, it is a full indication of a host that is no 
longer under his masters control. So instead of writing to see if the 
attacks get any smarter, just deny full access. Blunt but effective.

Note that this is on a server of one of my customers. And having seen 
the havoc of previously hacked systems of the ISP where I worked, I 
prefer to be a little more safe. The only reason that this would kill my 
machine, is when the list of IP-numbers gets so large that it keeps the 
system from doing anything else any more. But it has not come this far 
yet, Moore's law outpaces this problem by far.

>> <>If you want to enable firewalling based on that information then
>> you're going to have to write a custom script to cull the information
>> from the logfiles or enable some ports NIDs, or 3rd party NIDS to do
>> this for you. (Such as maybe portsentry and hostsentry for a basic
>> choice option set)
>
I used to run one of such tools, but found those just a little bit too 
inaccurate to actually trust it for this job. Remeber that you do not 
have the time to turn over the logfile at midnight, and then start 
blocking ip-nummbers. It has to be done at first sight of a possible 
attempt to break into the system. But perhaps I'll start runing that again.

--WjW



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414CB5EF.7080901>