Hey all I am getting tired of seeing the following popping up every day (with various IPs) on my log server.
* ROOT FAILURES jasper ssh2(pw) @221.143.156.58(3) * User Failures admin ssh2(pw) jasper(2) andrew ssh2(pw) jasper(1) angel ssh2(pw) jasper(1) barbara ssh2(pw) jasper(1) ben ssh2(pw) jasper(1) betty ssh2(pw) jasper(1) billy ssh2(pw) jasper(1) black ssh2(pw) jasper(1) blue ssh2(pw) jasper(1) brandon ssh2(pw) jasper(1) brian ssh2(pw) jasper(1) buddy ssh2(pw) jasper(1) carmen ssh2(pw) jasper(1) charlie ssh2(pw) jasper(1) daniel ssh2(pw) jasper(1) david ssh2(pw) jasper(1) dog ssh2(pw) jasper(1) emily ssh2(pw) jasper(1) eric ssh2(pw) jasper(1) god ssh2(pw) jasper(1) green ssh2(pw) jasper(1) guest ssh2(pw) jasper(1) henry ssh2(pw) jasper(1) jane ssh2(pw) jasper(1) jason ssh2(pw) jasper(1) jeremy ssh2(pw) jasper(1) joe ssh2(pw) jasper(1) johnny ssh2(pw) jasper(1) jordan ssh2(pw) jasper(1) justin ssh2(pw) jasper(1) larisa ssh2(pw) jasper(1) lion ssh2(pw) jasper(1) lp ssh2(pw) jasper(1) lucy ssh2(pw) jasper(1) magic ssh2(pw) jasper(1) mail ssh2(pw) jasper(1) maria ssh2(pw) jasper(1) market ssh2(pw) jasper(1) matthew ssh2(pw) jasper(1) max ssh2(pw) jasper(1) michael ssh2(pw) jasper(1) nathan ssh2(pw) jasper(1) nicholas ssh2(pw) jasper(1) nicole ssh2(pw) jasper(1) operator ssh2(pw) jasper(1) pub ssh2(pw) jasper(1) red ssh2(pw) jasper(1) robin ssh2(pw) jasper(1) rose ssh2(pw) jasper(1) shell ssh2(pw) jasper(1) stephen ssh2(pw) jasper(1) steven ssh2(pw) jasper(1) system ssh2(pw) jasper(1) test ssh2(pw) jasper(2) tom ssh2(pw) jasper(1) user ssh2(pw) jasper(1) vampire ssh2(pw) jasper(1) william ssh2(pw) jasper(1) yellow ssh2(pw) jasper(1) Just script kiddies most probably. Plus, we use public/private keys on "jasper" so it's not like people are going to get in that way. However, having the port wide open does give the possibility that a bug in the SSH daemon (if one pops up) could open the door for a hacker to get in. Further, "jasper" is the only machine that is externally accessible via SSH (the only other open ports are domain, web and mail on other servers). I need to leave SSH open as a number of people work remotely and tunnel through it to some of the services on the internal network. Additionally, we are about to setup a system to run a VPN between our office and some contractors. I would like that box's IP to appear offline/completely closed (until required) as well. To sum up, apart from web, mail and domain (to specific servers), I would much prefer that every port appear closed. To achieve this, I would like to implement port knocking on the gateway firewall (runs OBSD 3.4 and pf). For those unfamiliar with the technique, it is like knocking a certain pattern/code on a door to open it. Here, you fire connections at a server on designated ports to instruct the firewall to open a port. So, if the firewall detects a connection on ports 14289, 32883, 1234 and 3428 (in that order), port 22 is opened for the relevant IP address. Has anyone heard of anyone working on a portknocking daemon for OBSD/pf? There are a couple of basic setups over at www.portknocking.org but thought I would check here before attempting a port. If no work has begun, I think I will take the perl prototype script they have at portknocking.org and see what I can do for pf. I would imagine I will have to setup anchors in pf which I haven't done yet but am sure I will get my head around it. Any pointers would be appreciated! :) I will also need to write a windows util to do the knocking for the contractors - can Perl run on a Windows machine or will I have to dust off my C compiler? :) Andrew Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
