Date: Sat, 18 Sep 2004 18:04:45 -0400 From: "David D.W. Downey" <david.downey@gmail.com> To: Willem Jan Withagen <wjw@withagen.nl> Cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@freebsd.org> Subject: Re: Attacks on ssh port Message-ID: <6917b781040918150446b7dada@mail.gmail.com> In-Reply-To: <414CAC56.8020601@withagen.nl> References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> <414CAC56.8020601@withagen.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
> >On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen <wjw@withagen.nl> wrote: > It is not about all this. I know these, and I use them if appropriate. > (Come to think of it, I was one of the first externals to test Wietse > Venema's TCP-wrapper.) > > Once I have identified the nature and quality of this type of problem, > I want to deal with it in such a way that it is no longer a bother. And > in this particular case these records are clogging my login error > records. And because of that I just might miss out on the one or two > that do matter. You might want to call it noise-reduction, and I'm > looking for a as large as possible Signal/Noise ratio. > So that is why I would like to be able to throw root/ssh login attempts > directly in the garbage and kill the host where these are coming from > with a records in my firewall. > OK, was a simple suggestion. (no derogatory tone meant). I will say this much. adding each individual host that scans your machine instantly to your firewall WILL end up killing your machine due to lookups if this is in place during any large scan or direct port attacks. I do think you're being overly concerned about your log entries since this is *exactly* what the system is *supposed* to do, log the entries for further use by the admin if needed. There is no signal to noise reduction gained, since what you consider noise is what the system is *designed* to do. If you want to reduce the number of entries then reduce the # of entries it logs (aka when you enable the verbose_limit count it won't log any more than that number of attempts from a host. So set it to 2 or even 1 (i would suggest 2 so you only get what should be considered a bona fide failure) ) If you want to enable firewalling based on that information then you're going to have to write a custom script to cull the information from the logfiles or enable some ports NIDs, or 3rd party NIDS to do this for you. (Such as maybe portsentry and hostsentry for a basic choice option set) Hopefully this helps. -- David D.W. Downey
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6917b781040918150446b7dada>