from /var/log/auth.log

[Gary Kline]

guys, here is the outpput from 20 mins ago from auth.log.  i saw this last 
night.  any clues what i'm doing wrong? eg., what is auxpropfunc?

i've done about as much as i can.  spamassassin was not running, etc.
i did a reboot so everything should be reinitialized correctly.


Sep 26 12:00:34 ethic shutdown: reboot by kline: 
Sep 26 12:00:36 ethic sshd[978]: Received signal 15; terminating.
Sep 26 12:00:51 ethic sm-mta[15391]: sql_select option missing
Sep 26 12:00:51 ethic sm-mta[15391]: auxpropfunc error no mechanism available
Sep 26 12:02:41 ethic saslauthd[833]: detach_tty  : master pid is: 833
Sep 26 12:02:41 ethic saslauthd[833]: ipc_init: listening on socket: 
/var/run/saslauthd/mux
Sep 26 12:02:53 ethic sshd[978]: Server listening on :: port 22.
Sep 26 12:02:53 ethic sshd[978]: Server listening on 0.0.0.0 port 22.
Sep 26 12:02:54 ethic sm-mta[982]: sql_select option missing
Sep 26 12:02:54 ethic sm-mta[982]: auxpropfunc error no mechanism available
Sep 26 12:14:46 ethic sshd[1142]: Accepted publickey for kline from 10.47.0.110 
port 55753 ssh2


can anybody help me?

gsry

going for a nap. four hours doesnt cut it no mo'


-- 
Gary Kline  Seattle BSD Users' Group (seabug)  | kl...@magnesium.net
Thought Unlimited Org's Alternate Email Site
http://www.magnesium.net/~kline
   To live is not a necessity; but to live honorably...is a necessity. -Kant

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Question about entry in auth.log

[Wojciech Puchar]

Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for 
michael from 89.123.165.3 po

rt 55185 ssh2

There is a user michael on the system, but whoever was doing this was not 
him.


I am assuming someone tried to break in using a valid username (michael) but 
with an incorrect password.


it was VALID password. he successfully logged


change password now, look what the intruder messed and tell michael to be 
care more about his password next time.


if intruder wasn't very smart, he may not deleted .history, look what 
he/she did.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Question about entry in auth.log

[Wojciech Puchar]

Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been 
there. I got rid of the michael account (it wasn't used anyway), and 
downloaded a new copy of chkrootkit, installed it and ran it along with 
chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough 
prank? Anything else I ought to look at? Fortunately the michael account did 
not have te ability to su to root.

it doesn't matter if he/she had, if he/she don't know root password.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Question about entry in auth.log

[Valentin Bud]

Hello,
 I personally use key authentication along with DenyUsers and
AllowUsers directives
from sshd. One more thing i do regarding ssh brute force is to make
use of the max-src-conn and
max-src-conn-rate from pf firewall.

My auth logs look like:
Nov 14 11:15:36 xxx sshd[3570]: User root from 211.55.48.179 not
allowed because not listed in AllowUsers
Nov 14 11:15:38 xxx sshd[3572]: Invalid user admin from 211.55.48.179
Nov 14 11:15:41 xxx sshd[3574]: Invalid user test from 211.55.48.179
Nov 14 11:15:44 xxx sshd[3576]: User root from 211.55.48.179 not
allowed because not listed in AllowUsers
Nov 14 11:15:46 xxx sshd[3578]: Invalid user ghost from 211.55.48.179

Five tries from the above ip and if unsuccessful it gets overloaded in
a table and
all the states originating from that ip are killed.

All the servers i have are web/mail ones, none of them is used for
users, so i don't know if this is a good approach
but i wrote it to help make an idea about it.

a great day,
v

On Sat, Nov 15, 2008 at 5:00 AM, Lisa Casey [EMAIL PROTECTED] wrote:


 On Fri, 14 Nov 2008, Tom Marchand wrote:

 Or michael is vacationing in Romania.

 Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been
 there. I got rid of the michael account (it wasn't used anyway), and
 downloaded a new copy of chkrootkit, installed it and ran it along with
 chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough
 prank? Anything else I ought to look at? Fortunately the michael account did
 not have te ability to su to root.

 Lisa

 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Question about entry in auth.log

[Jeremy Chadwick]

On Fri, Nov 14, 2008 at 11:37:15PM -0800, Jeremy Chadwick wrote:
 On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote:
  Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever  
  been there. I got rid of the michael account (it wasn't used anyway), and 
  downloaded a new copy of chkrootkit, installed it and ran it along with  
  chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless  
  enough prank? Anything else I ought to look at? Fortunately the michael  
  account did not have te ability to su to root.
 
 The individual in Romania *was not* able to log in as michael.  The

Correction: the individual **WAS** able to log in as michael.  I missed
the part of the message that said Accepted at the front.  Sorry for
confusing you, I've had a very rough week and my brain is not
functioning.

What Wojciech said is correct -- change the password on the account.

Also keep in mind that the user may not have actually logged in and
gotten a shell; the message you see can also happen if the individual
simply scp'd something (e.g. no shell spawned).

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Question about entry in auth.log

[Wojciech Puchar]

Also keep in mind that the user may not have actually logged in and
gotten a shell; the message you see can also happen if the individual
simply scp'd something (e.g. no shell spawned).


but this case there are other messages about scp, not sure if in auth.log 
or others. i use single file for logs /var/log/messages.




--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Question about entry in auth.log

[mdh]

--- On Sat, 11/15/08, Jeremy Chadwick [EMAIL PROTECTED] wrote:
 From: Jeremy Chadwick [EMAIL PROTECTED]
 Subject: Re: Question about entry in auth.log
 To: Lisa Casey [EMAIL PROTECTED]
 Cc: freebsd-questions@freebsd.org
 Date: Saturday, November 15, 2008, 2:37 AM
 On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote:
 
 The individual in Romania *was not* able to log in as
 michael.  The
 message you saw was sshd saying Someone's trying
 to SSH in as user
 michael; SSH key negotiation failed, and now I'm asking
 them to type in
 their password manually.
 
 It's not a prank.  Shady online individuals have
 written scripts/tools
 that repetitively beat on sshd, trying to find an account
 they can log
 in as.  They're simply scanning for valid accounts, and
 they also often
 try many passwords over and over (common things, such as
 the username as
 a password).
 
 Welcome to the Internet circa 2008.  :(
 
 So how do I solve this problem?
 
 The easiest way: change sshd to listen on a port *other*
 than 22.  Many
 people pick .  This relieves 99% of the pain, but
 requires you to
 tell your users/co-workers/peers My box listens on
 port  for ssh,
 not 22.
 
 A secondary way: programs which monitor logs and add
 firewall block
 rules when they see too many brute force attempts coming
 from an IP
 address:
 
 ports/security/blocksshd
 ports/security/sshblock
 ports/security/sshguard
 (I think I forgot one more, but those are the main three)

I've considered writing an sshd patch for OpenSSH to add bad-authentication 
throttling to it, such that where X number of invalid attempts featuring at 
least Y different usernames in Z seconds from the same IP causes sshd to ignore 
that IP outright for a given time.  This would prevent syslog spam and not 
require any third-party applications.  I've written a socket abstraction 
library that supports throttling of this sort internally, and it's actually 
very easy to implement on its own.  Implementing it in OpenSSH may be more or 
less difficult depending on whether there's any central function that is called 
*every* time an authentication attempt fails.  

If a few folks respond saying I'd sure like that patch!, I would likely 
become more motivated to do so sooner.  

- mdh



  
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Question about entry in auth.log

[Lisa Casey]

Hi,

I run several FreeBSD servers. Today I noticed  an entry in the auth.log on 
one of them that concerns me. The entry is this:


Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for 
michael from 89.123.165.3 po

rt 55185 ssh2

There is a user michael on the system, but whoever was doing this was not 
him.


I am assuming someone tried to break in using a valid username (michael) but 
with an incorrect password. So I just conducted an experiment to see if I 
could replicate that log entry using another valid username: mandy. I ssh'ed 
into the server, gave mandy as the username with an incorrect password. The 
auth.log entry for that attempt is this:


Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from 
72.155.127.223 port 51919 ssh2


and when I used something called keyboard interactive as the primary 
authentication method in my ssh client, I get this:


sshd[96348]: error: PAM: authentication error for mandy from 72.155.127.223

Nothing about Accepted keyboard-interactive/pam.  What does Accepted 
keyboard-interactive/pam mean?


Also, in my ssh client, for authentication methods I have a choice of 
password, publickey or keyboard interactive. I've always used password, and 
never even noticed that keyboard interactive before. What is that?


Thanks,

Lisa Casey


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Question about entry in auth.log

[Steven Susbauer]

Lisa Casey wrote:
 Hi,
 
 I run several FreeBSD servers. Today I noticed  an entry in the auth.log
 on one of them that concerns me. The entry is this:
 
 Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for
 michael from 89.123.165.3 po
 rt 55185 ssh2
 
 There is a user michael on the system, but whoever was doing this was
 not him.
 
 I am assuming someone tried to break in using a valid username (michael)
 but with an incorrect password. So I just conducted an experiment to see
 if I could replicate that log entry using another valid username: mandy.
 I ssh'ed into the server, gave mandy as the username with an incorrect
 password. The auth.log entry for that attempt is this:
 
 Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from
 72.155.127.223 port 51919 ssh2
 
 and when I used something called keyboard interactive as the primary
 authentication method in my ssh client, I get this:
 
 sshd[96348]: error: PAM: authentication error for mandy from 72.155.127.223
 
 Nothing about Accepted keyboard-interactive/pam.  What does Accepted
 keyboard-interactive/pam mean?
 
 Also, in my ssh client, for authentication methods I have a choice of
 password, publickey or keyboard interactive. I've always used password,
 and never even noticed that keyboard interactive before. What is that?
 
 Thanks,
 
 Lisa Casey
 
Keyboard-interactive includes when the server sends requests such as
Password: to which the connector responds by typing their password.
This is different from entering the password in your client before
connecting. Example:

$ ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:

Try doing similar with the correct password and I bet you will see the
Accepted/keyboard-interactive, it may be possible that michael's
password is no longer secure.



signature.asc
Description: OpenPGP digital signature

Re: Question about entry in auth.log

[Tom Marchand]

On Nov 14, 2008, at 8:00 PM, Steven Susbauer wrote:


Lisa Casey wrote:

Hi,

I run several FreeBSD servers. Today I noticed  an entry in the  
auth.log

on one of them that concerns me. The entry is this:

Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam  
for

michael from 89.123.165.3 po
rt 55185 ssh2

There is a user michael on the system, but whoever was doing this was
not him.

I am assuming someone tried to break in using a valid username  
(michael)
but with an incorrect password. So I just conducted an experiment  
to see
if I could replicate that log entry using another valid username:  
mandy.
I ssh'ed into the server, gave mandy as the username with an  
incorrect

password. The auth.log entry for that attempt is this:

Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from
72.155.127.223 port 51919 ssh2

and when I used something called keyboard interactive as the primary
authentication method in my ssh client, I get this:

sshd[96348]: error: PAM: authentication error for mandy from  
72.155.127.223


Nothing about Accepted keyboard-interactive/pam.  What does Accepted
keyboard-interactive/pam mean?

Also, in my ssh client, for authentication methods I have a choice of
password, publickey or keyboard interactive. I've always used  
password,
and never even noticed that keyboard interactive before. What is  
that?


Thanks,

Lisa Casey


Keyboard-interactive includes when the server sends requests such as
Password: to which the connector responds by typing their password.
This is different from entering the password in your client before
connecting. Example:

$ ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:

Try doing similar with the correct password and I bet you will see the
Accepted/keyboard-interactive, it may be possible that michael's
password is no longer secure.



Or michael is vacationing in Romania.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Question about entry in auth.log

[Lisa Casey]

On Fri, 14 Nov 2008, Tom Marchand wrote:


Or michael is vacationing in Romania.


Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever 
been there. I got rid of the michael account (it wasn't used anyway), and 
downloaded a new copy of chkrootkit, installed it and ran it along with 
chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless 
enough prank? Anything else I ought to look at? Fortunately the michael 
account did not have te ability to su to root.


Lisa

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Question about entry in auth.log

[Jeremy Chadwick]

On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote:
 Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever  
 been there. I got rid of the michael account (it wasn't used anyway), and 
 downloaded a new copy of chkrootkit, installed it and ran it along with  
 chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless  
 enough prank? Anything else I ought to look at? Fortunately the michael  
 account did not have te ability to su to root.

The individual in Romania *was not* able to log in as michael.  The
message you saw was sshd saying Someone's trying to SSH in as user
michael; SSH key negotiation failed, and now I'm asking them to type in
their password manually.

It's not a prank.  Shady online individuals have written scripts/tools
that repetitively beat on sshd, trying to find an account they can log
in as.  They're simply scanning for valid accounts, and they also often
try many passwords over and over (common things, such as the username as
a password).

Welcome to the Internet circa 2008.  :(

So how do I solve this problem?

The easiest way: change sshd to listen on a port *other* than 22.  Many
people pick .  This relieves 99% of the pain, but requires you to
tell your users/co-workers/peers My box listens on port  for ssh,
not 22.

A secondary way: programs which monitor logs and add firewall block
rules when they see too many brute force attempts coming from an IP
address:

ports/security/blocksshd
ports/security/sshblock
ports/security/sshguard
(I think I forgot one more, but those are the main three)

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: auth.log intruder prevention

[fbsd_user]

What is happening to you is not unique.
There are 4 common solutions to this problem.

1. The simplest is to add a deny rule to your firewall for the
offending ip address.
2. Use the routed blackhole command.

Example:

To Add use  route add -host attacker_ip 127.0.0.1 -blackhole

To Delete use   route delete -host attacker_ip 127.0.0.1 -blackhole

To List use netstat -nr|grep 127

This is executed in the IP stack and is faster than in the firewall
when you have over 20 of those special deny this IP address rules
in the firewall. The attacker_ip in found in the log records in
/var/log/auth.log file.

You can create a script (route_blackholed_ip.sh) containing route
commands for all the IP address that have attacked you in the past
and save it to /usr/local/etc/rc.d/ so it will be run at boot time.

*** note **

The problem using either of the above methods is the attacker may
just use a different ip address in the same range. Depending on
where your authorized traffic is coming from you can deny or
blackhole the complete subnet. Even the whole xxx..0.0.0 by coding
the ip address with /xx after it.

*** note end **

3. If you know the ip address of your authorized ssh users then add
rules to your file wall to pass just those authorized ip address to
port 22 and deny all else.

4. All of the about solutions will not stop the flow of traffic to
port 22 driving up your bandwidth usage, just stop it from getting
to ssh which is all ready doing a fine job of stopping it now. The
only way to reduce the unauthorized traffic to your port 22 is not
to have port 22 open. In the ssh logon command you can enter the
port number you have ssh using. So change the port ssh uses and the
scrip kiddies will not be able to find your ssh access port. You can
change the port ssh is listening on by editing the ssh entry in
/etc/services to some high number port of your choosing and then
have all your ssh users include that port number in there remote
login command. Allow that port number to pass in your firewall and
deny port 22.  This way the attackers will not see ssh port open and
not waist time on you any longer.

**  to get revenge on your attackers
*
Attackers who beat on ssh/telnet/ftp are looking to break into your
box so they have to be using there real ip address to receive the
response when they succeed. (ie not using spoofed ip address)  If
you use the ipfilter firewall you can use the FreeBSD port ppars-1.0
to read the log file and auto generate an email to the isp owner of
the ip address range the attacker is using. Most ISP's around the
world have usage user agreements that this attacking behavior is not
allowed. In most cases the ISP will terminate the attackers account.
In time your ip address will become know as place not to probe and
your bandwidth usage will decline.

The install guide at www.a1poweruser.com  (section 6.13 Defending
Against Attacks) has a more detailed explanation.





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Paul
Hamilton
Sent: Wednesday, January 25, 2006 10:05 PM
To: 'Daniel Gerzo'; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: auth.log  intruder prevention


Hi Daniel,

On your web site, you show how easy it is to convert to IPTABLES.  I
presume
then it would be quite easy to reconfigure to use IPFW as well?

Cheers,

Paul

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Daniel
Gerzo
 Sent: Wednesday, 25 January 2006 7:58 AM
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: Re: auth.log  intruder prevention


 On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote:
  Hi Everyone,

 hello,

 
  In auth.log of my FreeBSD boxes I got many requests to port
 22, as you
  can see below. begin of snippet
  Jan 22 11:21:50 zeus sshd[92900]: Failed password for
 illegal user cracking
  from 65.208.188.105 port 58344 ssh2
  Jan 22 11:21:53 zeus sshd[92902]: Failed password for
 illegal user hacking
  from 65.208.188.105 port 58443 ssh2
  end of snippet
 
  I am wondering if any script is available to prevent hundreds of
  attempts on port 22 from external IPs that constantly
 checking user 
  passwords on my FreeBSD PCs.
 
  What I am looking for is a deamon application/script that
 receives the
  recorded data from auth.log and detects if any remote client (IP
  address) is checking user and passwords (Detection pattern:
 5 missing
  attempts in 1 min). On a successful detection, the script
 should add
  an ipfw rule rejecting further IP packets from the specific
remote
  address.
 
  Is any script or something similar available so far?

 I've written a BruteForceBlocer, you can install it from
 ports as well, check security/bruteforceblocker.

 Hope you will like it.

 --
 Sincerely,
Daniel Gerzo
 ___
 freebsd-questions@freebsd.org mailing list
 http

RE: auth.log intruder prevention

[Paul Hamilton]

Hi Daniel,

On your web site, you show how easy it is to convert to IPTABLES.  I presume
then it would be quite easy to reconfigure to use IPFW as well?

Cheers,

Paul

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gerzo
 Sent: Wednesday, 25 January 2006 7:58 AM
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: Re: auth.log  intruder prevention
 
 
 On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote:
  Hi Everyone,
 
 hello,

  
  In auth.log of my FreeBSD boxes I got many requests to port 
 22, as you 
  can see below. begin of snippet
  Jan 22 11:21:50 zeus sshd[92900]: Failed password for 
 illegal user cracking
  from 65.208.188.105 port 58344 ssh2
  Jan 22 11:21:53 zeus sshd[92902]: Failed password for 
 illegal user hacking
  from 65.208.188.105 port 58443 ssh2
  end of snippet
  
  I am wondering if any script is available to prevent hundreds of 
  attempts on port 22 from external IPs that constantly 
 checking user  
  passwords on my FreeBSD PCs.
  
  What I am looking for is a deamon application/script that 
 receives the 
  recorded data from auth.log and detects if any remote client (IP 
  address) is checking user and passwords (Detection pattern: 
 5 missing 
  attempts in 1 min). On a successful detection, the script 
 should add 
  an ipfw rule rejecting further IP packets from the specific remote 
  address.
  
  Is any script or something similar available so far?
 
 I've written a BruteForceBlocer, you can install it from 
 ports as well, check security/bruteforceblocker.
 
 Hope you will like it.
 
 -- 
 Sincerely,
Daniel Gerzo
 ___
 freebsd-questions@freebsd.org mailing list 
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to 
 [EMAIL PROTECTED]
 
 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

auth.log intruder prevention

[Ilias Sachpazidis]

Hi Everyone,

In auth.log of my FreeBSD boxes I got many requests to port 22, as you can
see below.
begin of snippet
Jan 22 11:21:50 zeus sshd[92900]: Failed password for illegal user cracking
from 65.208.188.105 port 58344 ssh2
Jan 22 11:21:53 zeus sshd[92902]: Failed password for illegal user hacking
from 65.208.188.105 port 58443 ssh2
Jan 22 11:21:55 zeus sshd[92904]: Failed password for illegal user lol from
65.208.188.105 port 58543 ssh2
Jan 22 11:21:57 zeus sshd[92906]: Failed password for illegal user pgl from
65.208.188.105 port 58640 ssh2
Jan 22 11:22:00 zeus sshd[92908]: Failed password for illegal user player
from 65.208.188.105 port 58741 ssh2
Jan 22 11:22:02 zeus sshd[92910]: Failed password for illegal user root4me
from 65.208.188.105 port 58842 ssh2
end of snippet

I am wondering if any script is available to prevent hundreds of attempts on
port 22 from external IPs that constantly checking user  passwords on my
FreeBSD PCs.

What I am looking for is a deamon application/script that receives the
recorded data from auth.log and detects if any remote client (IP address) is
checking user and passwords (Detection pattern: 5 missing attempts in 1
min). On a successful detection, the script should add an ipfw rule
rejecting further IP packets from the specific remote address.

Is any script or something similar available so far? 

All the best,

Ilias
 


 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: auth.log intruder prevention

[Ilias Sachpazidis]

We are talking about a few users and nobody has a permanent IP. 

-IS


-Original Message-
From: Dan O'Connor [mailto:[EMAIL PROTECTED] 
Sent: Dienstag, 24. Januar 2006 22:29
To: [EMAIL PROTECTED]
Subject: Re: auth.log  intruder prevention

 I am wondering if any script is available to prevent hundreds of 
 attempts on
 port 22 from external IPs that constantly checking user  passwords on 
 my
 FreeBSD PCs.

I can't help you with a greylist solution, but how many users do you 
have that ssh in from the outside?

If you don't have too many, and they come from stable IP addresses, you 
could always set up firewall rules to allow specific connections and 
block other attempts to connect to port 22:

# My Trusted SSH Sites
dan=123.45.67.89
jim=234.56.78.90
. . .

# SSH Login - Allow only trusted incoming on outside interface
${fwcmd} add pass log tcp from ${dan} to any 22 in via ${oif} setup
${fwcmd} add pass log tcp from ${jim} to any 22 in via ${oif} setup
. . .
${fwcmd} add deny log tcp from any to any 22 in via ${oif} setup

~Dan

--
FreeBSD Cheat Sheets
   http://www.mostgraveconcern.com/freebsd/ 



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: auth.log intruder prevention

[Daniel Gerzo]

On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote:
 Hi Everyone,

hello,
   
 
 In auth.log of my FreeBSD boxes I got many requests to port 22, as you can
 see below.
 begin of snippet
 Jan 22 11:21:50 zeus sshd[92900]: Failed password for illegal user cracking
 from 65.208.188.105 port 58344 ssh2
 Jan 22 11:21:53 zeus sshd[92902]: Failed password for illegal user hacking
 from 65.208.188.105 port 58443 ssh2
 end of snippet
 
 I am wondering if any script is available to prevent hundreds of attempts on
 port 22 from external IPs that constantly checking user  passwords on my
 FreeBSD PCs.
 
 What I am looking for is a deamon application/script that receives the
 recorded data from auth.log and detects if any remote client (IP address) is
 checking user and passwords (Detection pattern: 5 missing attempts in 1
 min). On a successful detection, the script should add an ipfw rule
 rejecting further IP packets from the specific remote address.
 
 Is any script or something similar available so far? 

I've written a BruteForceBlocer, you can install it from ports as well,
check security/bruteforceblocker.

Hope you will like it.

-- 
Sincerely,
   Daniel Gerzo
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: auth.log intruder prevention

[Ilias Sachpazidis]

Thanks Daniel,

I was about to develop a perl script.
It, however, seems that bruteforceblocker does what I was looking for.

Thanks again,

Ilias


-Original Message-
From: Daniel Gerzo [mailto:[EMAIL PROTECTED] 
Sent: Mittwoch, 25. Januar 2006 00:58
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: auth.log  intruder prevention

On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote:
 Hi Everyone,

hello,
   
 
 In auth.log of my FreeBSD boxes I got many requests to port 22, as you can
 see below.
 begin of snippet
 Jan 22 11:21:50 zeus sshd[92900]: Failed password for illegal user
cracking
 from 65.208.188.105 port 58344 ssh2
 Jan 22 11:21:53 zeus sshd[92902]: Failed password for illegal user hacking
 from 65.208.188.105 port 58443 ssh2
 end of snippet
 
 I am wondering if any script is available to prevent hundreds of attempts
on
 port 22 from external IPs that constantly checking user  passwords on my
 FreeBSD PCs.
 
 What I am looking for is a deamon application/script that receives the
 recorded data from auth.log and detects if any remote client (IP address)
is
 checking user and passwords (Detection pattern: 5 missing attempts in 1
 min). On a successful detection, the script should add an ipfw rule
 rejecting further IP packets from the specific remote address.
 
 Is any script or something similar available so far? 

I've written a BruteForceBlocer, you can install it from ports as well,
check security/bruteforceblocker.

Hope you will like it.

-- 
Sincerely,
   Daniel Gerzo

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

thread hijacking, was: auth.log intruder prevention

[Michael P. Soulier]

On 24/01/06 Ilias Sachpazidis said:

 Hi Everyone,
 
 In auth.log of my FreeBSD boxes I got many requests to port 22, as you can
 see below.

It's considered poor mailing list ettiquette to hijack a thread. Please start
a new post instead. Some of us are using threaded mail readers. 

Thanks,
Mike

-- 
Michael P. Soulier [EMAIL PROTECTED]
Any intelligent fool can make things bigger and more complex... It takes a
touch of genius - and a lot of courage to move in the opposite direction.
--Albert Einstein


pgpdju6GjzkeB.pgp
Description: PGP signature

Auth.log date issue?

[Mark]

Running FreeBSD 4.10, today I saw this in my log:

asarian-host.net login failures:
Mar  8 22:11:20 asarian-host sshd[32810]: Failed password for asarian from
192.168.0.8 port 3535 ssh2
Mar  8 22:11:36 asarian-host sshd[32812]: Failed password for asarian from
192.168.0.8 port 3536 ssh2
Mar  8 22:11:39 asarian-host sshd[32814]: Failed password for asarian from
192.168.0.8 port 3537 ssh2

Which is curious, as the IP address no longer has a machine on it. Then I
checked, and after a while I suddenly noticed /var/log/auth.log was dated
March 8, 2004! Apparently, the security script just checks the date, but
not the year? Is it supposed to work this way? It gave me a good scare,
all for nothing. :)

Thanks,

- Mark

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

strange things in my /var/log/auth.log

[Stevan Tiefert]

Hello list,

when I do that:

cat /var/log/auth.log | grep listening

I got this:

Mar  3 14:23:21 mail sshd[380]: Server listening on :: port 22.
Mar  3 14:23:21 mail sshd[380]: Server listening on 0.0.0.0 port 22.
Mar  3 17:01:51 mail sshd[2364]: Server listening on :: port 22.
Mar  3 17:01:51 mail sshd[2364]: Server listening on 0.0.0.0 port 22.
Mar  3 17:11:15 mail sshd[406]: Server listening on :: port 22.
Mar  3 17:11:15 mail sshd[406]: Server listening on 0.0.0.0 port 22.
Mar  9 12:51:47 mail sshd[408]: Server listening on :: port 22.
Mar  9 12:51:47 mail sshd[408]: Server listening on 0.0.0.0 port 22.
Mar  9 13:19:28 mail sshd[407]: Server listening on :: port 22.
Mar  9 13:19:28 mail sshd[407]: Server listening on 0.0.0.0 port 22.

These messages are only two times appeared in the last nonstop-run of my 
mashine over one week...
Is this normal, I don't think so? I have to say that somebody tried in the 
last week several times to login per ssh, but didn't had success because I 
have a good password I think...

With regards
Stevan Tiefert
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Auth.log date issue?

[David Fleck]

On Wed, 9 Mar 2005, Mark wrote:
Which is curious, as the IP address no longer has a machine on it. Then I
checked, and after a while I suddenly noticed /var/log/auth.log was dated
March 8, 2004! Apparently, the security script just checks the date, but
not the year? Is it supposed to work this way? It gave me a good scare,
all for nothing. :)

The exact same thing happened to me a few months ago.  I think the script 
is written with the assumption that the auth.log will be rotated at least 
once a year; but if you don't have a lot of authorization activity, it can 
easily go beyond that without rotating, because the default for 
newsyslog.conf is to only rotate auth.log when it gets beyond a certain 
size.  Just add a time for auth.log to rotate, and this will go away.

(rotates auth.log once a month)
/var/log/auth.log   600  7 256  $M1D0 Z
--
David Fleck
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Auth.log

[Scott Gerhardt]

I'm running FreeBSD 4.7 and I noticed that /var/log/auth.log does not 
include year () in the log entries.  My daily cron jobs recently 
sent notice that there were some failed login attempts on July 3 to an 
account that was removed many months ago.  This raised concern, so I 
did a thorough check and determined that the failed login attempt 
occurred July 03 of 2003, _not_ 2004.

Shouldn't auth.log include the full -MM-DD date to avoid confusion 
in case auth.log doesn't rotate between years?  This should apply to 
all logs, especially security related logs...


Thanks,
--
Scott A. Gerhardt, P.Geo.
Gerhardt Information Technologies
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Auth.log and Cyrus SASL

[Eric Crist]

Hey all,

The email from Mr. Gerhardt prompted me to take a look at auth.log, and
I noticed a couple things that concerned me.  I just set Cyrus-SASL up,
and I see these entries in my auth.log file:

Jun 28 18:31:48 grog saslauthd[187]: START: saslauthd 1.5.28
Jun 28 18:31:48 grog saslauthd[194]: daemon started, listening on
/var/state/saslauthd1/mux
Jun 29 21:59:05 grog saslauthd[194]: Caught signal 15. Cleaning up and
terminating.
Jun 29 22:00:30 grog saslpasswd: failed to set plaintext secret for
cyrus: generic failure
Jun 29 22:00:30 grog saslpasswd: failed to set APOP secret for cyrus:
generic failure
Jun 29 22:00:30 grog saslpasswd: PLAIN: failed to set secret for cyrus:
generic failure
Jun 29 22:00:30 grog saslpasswd: DIGEST-MD5: set secret for cyrus
Jun 29 22:00:30 grog saslpasswd: CRAM-MD5: set secret for cyrus
Jun 29 22:00:30 grog saslpasswd: failed to disable account for cyrus:
user not found
Jun 29 22:00:30 grog saslpasswd: failed to disable APOP account for
cyrus: user not found
Jun 29 22:00:30 grog saslpasswd: PLAIN: failed to set secret for cyrus:
user not found
Jun 29 22:00:30 grog saslpasswd: DIGEST-MD5: set secret for cyrus
Jun 29 22:00:30 grog saslpasswd: CRAM-MD5: set secret for cyrus
Jun 29 22:05:14 grog saslauthd[14304]: START: saslauthd 1.5.28
Jun 29 22:05:14 grog saslauthd[14309]: daemon started, listening on
/var/state/saslauthd1/mux

Any idea what these mean, and how I can go about fixing them?

Thanks.

Found on Conan O'Brian:
Children's books written by celebrities;
   By Mel Gibson: Jesus Christ and the Terrible, Horrible, No Good, Very
Bad Day.

-
Keep your powder dry and your pecker hard and the world WILL turn.

-
Eric F Crist


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: auth.log

[Lowell Gilbert]

Mark [EMAIL PROTECTED] writes:

 Is this a stuck key or an attack??

Looks like a stuck key to me.  It's on the console, so if it was an
attack, you'd've seen the attacker.

-- 
Lowell Gilbert, embedded/networking software engineer, Boston area: 
resume/CV at http://be-well.ilk.org:8088/~lowell/resume/
username/password public
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]