System Intrustion Detection
More and more each day I am seeing my root emails contain hundreds of entries like this: May 8 02:23:35 warpstone sshd[26092]: Failed password for root from 222.185.245.208 port 50519 ssh2 May 8 16:37:41 warpstone ftpd[34713]: FTP LOGIN FAILED FROM 211.44.250.152, Administrator Basically, people are attemtpting to hack into my server often with a few thousands of attempts each day. What measures can I take to stop these attempts? Is there a way I can detect these attacks and automatically cut them off? Are any of the security ports effective against this? Thank you! M Goodell - Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: System Intrustion Detection
check the list archives. this subject has been beat to death many times already -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of M. Goodell Sent: Tuesday, May 09, 2006 10:54 AM To: FreeBSD Questions Subject: System Intrustion Detection More and more each day I am seeing my root emails contain hundreds of entries like this: May 8 02:23:35 warpstone sshd[26092]: Failed password for root from 222.185.245.208 port 50519 ssh2 May 8 16:37:41 warpstone ftpd[34713]: FTP LOGIN FAILED FROM 211.44.250.152, Administrator Basically, people are attemtpting to hack into my server often with a few thousands of attempts each day. What measures can I take to stop these attempts? Is there a way I can detect these attacks and automatically cut them off? Are any of the security ports effective against this? Thank you! M Goodell - Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: System Intrustion Detection
Hi, I would suggest using ssh with RSA key pairs and passphrases only. Dont allow password based login or root login over ssh. Only allow root to login using the console and use sudo for all admin tasks. I have not tried this myself but you could use tcpwrappers and write a script to add the IP address from repeated failed messages to the hosts.deny file. There are various scripts already written to do this. A quick goggle search found this http://security.linux.com/article.pl?sid=05/09/15/1655234 (its about linux but I am sure the same approach applies to FreeBSD.) Hope this helps John [EMAIL PROTECTED] wrote on 09/05/2006 15:54:03: More and more each day I am seeing my root emails contain hundreds of entries like this: May 8 02:23:35 warpstone sshd[26092]: Failed password for root from 222.185.245.208 port 50519 ssh2 May 8 16:37:41 warpstone ftpd[34713]: FTP LOGIN FAILED FROM 211.44. 250.152, Administrator Basically, people are attemtpting to hack into my server often with a few thousands of attempts each day. What measures can I take to stop these attempts? Is there a way I can detect these attacks and automatically cut them off? Are any of the security ports effective against this? Thank you! M Goodell - Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: System Intrustion Detection
On Tue, May 09, 2006 at 07:54:03AM -0700, M. Goodell wrote: More and more each day I am seeing my root emails contain hundreds of entries like this: May 8 02:23:35 warpstone sshd[26092]: Failed password for root from 222.185.245.208 port 50519 ssh2 May 8 16:37:41 warpstone ftpd[34713]: FTP LOGIN FAILED FROM 211.44.250.152, Administrator Basically, people are attemtpting to hack into my server often with a few thousands of attempts each day. What measures can I take to stop these attempts? Is there a way I can detect these attacks and automatically cut them off? Are any of the security ports effective against this? Don't feel too bad - the little bastards try it on anywhere and everywhere. There are a few things you can do to stop them in their tracks. From what I gather, the pf firewall provides some neat table functionality that can be put to use in this situation. I have never used pf, so will not say more of it here. I use Denyhosts, which is intended to stop brute force ssh attacks, but which can be used to deny unwanted/unwelcome connections to any or all services. It's in the ports, is easy to set up and works really well. There is a synchronisation server from which it can download IP addresses that have been logged trying to mount attacks, and allows your DenyHosts to upload addresses that have tried to crack you. There are a couple of things you can do to protect your sshd. First, allow only public key authentication. This may not be practical in all situations, but it is a very good way of preventing dictionary attacks from succeeding! Secondly, set AllowGroups or AllowUsers in your sshd.config, so that only explicitly permitted users or groups can request a login. HTH Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpNXh32JCl4x.pgp Description: PGP signature
Re: System Intrustion Detection
M, There are several choices you can make to deal with this. First, be sure your root password is 'strong'. Generally 'strong' means that it is a combination of upper case, lower case, and numbers with a decent lenght. I personally go with at least 12 characters and throw in some punctuation as well. Also, don't use real words. Second, configure your ssh daemon to only support public key authentication (PubkeyAuthentication, RSAAuthentication). This means every user need to have a public/private key pair. One part stays on the server, the other goes to the remote system and is used to authenticate with the server. This also makes the password attacks you are seeing pretty useless. Third, if your users are all coming in from a relatively small list of IP addresses, you can consider using tcpwrappers (which should have been built in to your sshd daemon). This allows you to configure the sshd daemon to only allow access from a restricted set of ip addresses (or block a specific set of addresses). This method will also stop those messages from appearing in your mail once it is set up properly. I use all three techniques. Unfortunately, I have found that I have to pretty much exclude large parts of the world from accessing my ssh server for the third option to be effective and it is getting worse. I used to have to block only a hand full of countries but I'm now seeing attempts from several continents. M. Goodell [EMAIL PROTECTED] said: More and more each day I am seeing my root emails contain hundreds of entries like this: May 8 02:23:35 warpstone sshd[26092]: Failed password for root from 222.185.245.208 port 50519 ssh2 May 8 16:37:41 warpstone ftpd[34713]: FTP LOGIN FAILED FROM 211.44.250.152, Administrator Basically, people are attemtpting to hack into my server often with a few thousands of attempts each day. What measures can I take to stop these attempts? Is there a way I can detect these attacks and automatically cut them off? Are any of the security ports effective against this? Thank you! M Goodell -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: System Intrustion Detection
In the last episode (May 09), [EMAIL PROTECTED] said: I would suggest using ssh with RSA key pairs and passphrases only. Dont allow password based login or root login over ssh. Only allow root to login using the console and use sudo for all admin tasks. I have not tried this myself but you could use tcpwrappers and write a script to add the IP address from repeated failed messages to the hosts.deny file. There are various scripts already written to do this. A quick goggle search found this http://security.linux.com/article.pl?sid=05/09/15/1655234 (its about linux but I am sure the same approach applies to FreeBSD.) Some more links on securing ssh from password attacks: http://la-samhna.de/library/brutessh.html http://bsdwiki.com/wiki/Blocking_repeated_failed_login_attempts_via_SSH -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
