Re: machine hangs on occasion - correlated with ssh break-in attempts
At 12:38 PM 8/21/2008, Mikhail Teterin wrote: Hello! A machine I manage remotely for a friend comes under a distributed ssh break-in attack every once in a while. Annoyed (and alarmed) by the messages like: Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 I wrote an awk-script, which adds a block of the attacking IP-address to the ipfw-rules after three such invalid user attempts with: ipfw add 550 deny ip from ip The script is fed by syslogd directly -- through a syslog.conf rule (|/opt/sbin/auth-log-watch). Once in a while I manually flush these rules... I this a good (safe) reaction? I'm asking, because the machine (currently running 7.0 as of July 7) hangs solid once every few weeks... My only guess is that a spike in attacks causes too many ipfw-entries created, which paralyzes the kernel due to some bug -- the machine is running natd and is the gateway for the rest of the network... The hangs could, of course, be caused by something else entirely, but my self-defense mechanism is my first suspect... Any comments? Thanks! -mi I doubt it is your script, or syslog causing the crash. It is likely a hardware problem of some type if you have this server completely patched and up-to-date for security patches. I would look at the memory, ethernet, hard disk, or power supply as the most likely candidates. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
At 04:37 PM 8/21/2008, Brooks Davis wrote:
On Thu, Aug 21, 2008 at 10:10:42PM +0200, Rink Springer wrote:
On Thu, Aug 21, 2008 at 01:03:09PM -0700, Jeremy Chadwick wrote:
Finally, consider moving to pf instead, if you really feel ipfw is
what's causing your machine to crash. You might be pleasantly surprised
by the syntax, and overall administrative usability (it is significantly
superior to ipfw, IMHO).
In fact, pf can already do this out-of-the-box, by doing something like:
table sshlusers persist
pass quick on $wan_if proto tcp from any to any port ssh flags S/SA keep
state \
(max-src-conn 15, max-src-conn-rate 5/3, overload sshlusers flush
global)
If that is not an option, I have found that security/denyhosts works
pretty well too (it just adds IP's to /etc/hosts.deniedssh, and
host_access(5) denies them based on this)
You almost certainly don't want to rate limit ssh connections, only failed
ones. If you rate limit connections and use svn, you're likely to lock your
self out.
I find a happy balance is to exclude trusted CIDR blocks from the
rate limiting and let everything else be limited.
e.g.
table bruteforce persist
table SSHTRUSTED {192.168.0.0/16,1.0.0.0/24}
block log quick proto tcp from bruteforce to any port 22
block in log on $ext_if all
pass log quick proto { tcp } from {!SSHTRUSTED} to $myaddress port ssh \
flags S/SA keep state \
(max-src-conn 6, max-src-conn-rate 3/30, \
overload bruteforce flush global)
pass in on $ext_if inet proto tcp from SSHTRUSTED to $ext_if port
ssh keep state
and then a crontab entry
*/5 * * * * /usr/local/sbin/expiretable -v -t 5m bruteforce
---Mike
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
machine hangs on occasion - correlated with ssh break-in attempts
Hello! A machine I manage remotely for a friend comes under a distributed ssh break-in attack every once in a while. Annoyed (and alarmed) by the messages like: Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 I wrote an awk-script, which adds a block of the attacking IP-address to the ipfw-rules after three such invalid user attempts with: ipfw add 550 deny ip from ip The script is fed by syslogd directly -- through a syslog.conf rule (|/opt/sbin/auth-log-watch). Once in a while I manually flush these rules... I this a good (safe) reaction? I'm asking, because the machine (currently running 7.0 as of July 7) hangs solid once every few weeks... My only guess is that a spike in attacks causes too many ipfw-entries created, which paralyzes the kernel due to some bug -- the machine is running natd and is the gateway for the rest of the network... The hangs could, of course, be caused by something else entirely, but my self-defense mechanism is my first suspect... Any comments? Thanks! -mi ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
On Thu, Aug 21, 2008 at 01:38:38PM -0400, Mikhail Teterin wrote: ... I wrote an awk-script, which adds a block of the attacking IP-address to the ipfw-rules after three such invalid user attempts with: ipfw add 550 deny ip from ip The script is fed by syslogd directly -- through a syslog.conf rule (|/opt/sbin/auth-log-watch). ... At a previous employer, we were building mail relay boxen (FreeBSD 6.0 - 6.2 timeframe); at one point, It Was Decided that rather than having /var/log/maillog written directly by syslogd(8), syslogd(8) would feed a Perl script that would do some Database Things and then get around to appending to /var/log/maillog itself. While the amount of work involved was assuredly greater in that case than in yours, those of us who were actually building and running the relays in question were very unsurprised when Postfix performance improved significantly following a redesign of the application, so that /var/log/maillog was written by syslogd(8) and the Perl script was effectively fed via tail -F. Once in a while I manually flush these rules... I this a good (safe) reaction? I also see such things (on my home firewall machine); my approach is quite a bit different. If folks are interested, I could probably discuss it a bit, but I believe that would be, at best, tangential to your note, and thus ought not be crafted as if it were part of the thread -- and definitely does not warrant the cross-post. ... Peace, david -- David H. Wolfskill [EMAIL PROTECTED] Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. pgprPFwl7PcX6.pgp Description: PGP signature
Re: machine hangs on occasion - correlated with ssh break-in attempts
Date: Thu, 21 Aug 2008 13:38:38 -0400 From: Mikhail Teterin [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Hello! A machine I manage remotely for a friend comes under a distributed ssh break-in attack every once in a while. Annoyed (and alarmed) by the messages like: Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 I wrote an awk-script, which adds a block of the attacking IP-address to the ipfw-rules after three such invalid user attempts with: ipfw add 550 deny ip from ip The script is fed by syslogd directly -- through a syslog.conf rule (|/opt/sbin/auth-log-watch). Once in a while I manually flush these rules... I this a good (safe) reaction? I'm asking, because the machine (currently running 7.0 as of July 7) hangs solid once every few weeks... My only guess is that a spike in attacks causes too many ipfw-entries created, which paralyzes the kernel due to some bug -- the machine is running natd and is the gateway for the rest of the network... The hangs could, of course, be caused by something else entirely, but my self-defense mechanism is my first suspect... Any comments? Thanks! Looks remarkably like sshguard (ports/security/sshguard-*). It does almost exactly what you are doing but is written in C and has command-line switches to set how long a system is blocked, how many attempts constitute an attack and how long it should remember failed attempts. It also allows the use of back-end scripts if you want it to do something else such as generate reports (beyond an entry in /var/log/messages). As far as the hangs, I don't believe it is from the large nu,ber of brute force attempts as they will stop for a given host as soon as the firewall is updated. I seldom see more than a handful of attack sources over any short period. Should you want to continue with your own tool, at least for IPv4, consider using tables rather than a raft of rules. With tables, you need only a single rule and it is there at boot time. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 pgpQWTXEMyHIF.pgp Description: PGP signature
feeding log-messages (Re: machine hangs on occasion - correlated with ssh break-in attempts)
David Wolfskill написав(ла): While the amount of work involved was assuredly greater in that case than in yours, those of us who were actually building and running the relays in question were very unsurprised when Postfix performance improved significantly following a redesign of the application, so that /var/log/maillog was written by syslogd(8) and the Perl script was effectively fed via tail -F. In my setup, syslogd does both -- append the message to the appropriate log-file (in this case -- /var/log/auth.log) and feed it to the script's stdin. From syslogd.conf: auth.info;authpriv.info /var/log/auth.log auth.info;authpriv.info |/opt/sbin/auth-log-watch tail -F seems just wrong :-) -mi ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
Neil Neely написав(ла): I haven't explored this issue enough to speak with any authority - but once upon a time I had an app doing tons of ipfw rule add/removes all the time and we had no end of performance and stability problems on that box (this would have been in 4.x or so timeline I expect). As that approach wasn't really critical we abandoned it without really digging into the details. Years later a need for lots of rapid firewall changes came up again and I drilled into it and found the use of tables was excellent for doing this and it does the job very well. This is approach is on a FreeBSD 6.3 box. ipfw add 00550 deny ip from 'table(1)' to any Then just add remove entries to table 1 via: ipfw table 1 add 10.1.1.22/32 ipfw table 1 delete 10.1.1.22/32 show all entries in table 1 with: ipfw table 1 list Clear out the whole of table 1 ipfw table 1 flush I can't be sure if this relates to your particular issue, but I would recommend trying it out. Thanks! I was not even aware of this functionality... Yes, I'll try that -- maybe, a bug in ipfw only hits once per 1000 invocations :-) -mi ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
Mikhail Teterin [EMAIL PROTECTED] writes: A machine I manage remotely for a friend comes under a distributed ssh break-in attack every once in a while. Annoyed (and alarmed) by the messages like: Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 I wrote an awk-script, which adds a block of the attacking IP-address to the ipfw-rules after three such invalid user attempts with: ipfw add 550 deny ip from ip I don't know if it will make your problem go away, but using ipfw tables for this seems to be a better idea than creating a new rule for every IP address. So you just need one rule: ipfw add 550 deny ip from table(1) And then when you want to add an IP address to the table: ipfw table 1 add ip You can add ranges too using the CIDR notation. -- Christian Laursen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
I haven't explored this issue enough to speak with any authority - but once upon a time I had an app doing tons of ipfw rule add/removes all the time and we had no end of performance and stability problems on that box (this would have been in 4.x or so timeline I expect). As that approach wasn't really critical we abandoned it without really digging into the details. Years later a need for lots of rapid firewall changes came up again and I drilled into it and found the use of tables was excellent for doing this and it does the job very well. This is approach is on a FreeBSD 6.3 box. ipfw add 00550 deny ip from 'table(1)' to any Then just add remove entries to table 1 via: ipfw table 1 add 10.1.1.22/32 ipfw table 1 delete 10.1.1.22/32 show all entries in table 1 with: ipfw table 1 list Clear out the whole of table 1 ipfw table 1 flush I can't be sure if this relates to your particular issue, but I would recommend trying it out. Neil Neely http://neil-neely.blogspot.com On Aug 21, 2008, at 11:38 AM, Mikhail Teterin wrote: Hello! A machine I manage remotely for a friend comes under a distributed ssh break-in attack every once in a while. Annoyed (and alarmed) by the messages like: Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 I wrote an awk-script, which adds a block of the attacking IP- address to the ipfw-rules after three such invalid user attempts with: ipfw add 550 deny ip from ip The script is fed by syslogd directly -- through a syslog.conf rule (|/opt/sbin/auth-log-watch). Once in a while I manually flush these rules... I this a good (safe) reaction? I'm asking, because the machine (currently running 7.0 as of July 7) hangs solid once every few weeks... My only guess is that a spike in attacks causes too many ipfw-entries created, which paralyzes the kernel due to some bug -- the machine is running natd and is the gateway for the rest of the network... The hangs could, of course, be caused by something else entirely, but my self-defense mechanism is my first suspect... Any comments? Thanks! -mi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
On Thu, Aug 21, 2008 at 01:38:38PM -0400, Mikhail Teterin wrote: Hello! A machine I manage remotely for a friend comes under a distributed ssh break-in attack every once in a while. Annoyed (and alarmed) by the messages like: Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 I wrote an awk-script, which adds a block of the attacking IP-address to the ipfw-rules after three such invalid user attempts with: ipfw add 550 deny ip from ip The script is fed by syslogd directly -- through a syslog.conf rule (|/opt/sbin/auth-log-watch). Once in a while I manually flush these rules... I this a good (safe) reaction? I'm asking, because the machine (currently running 7.0 as of July 7) hangs solid once every few weeks... My only guess is that a spike in attacks causes too many ipfw-entries created, which paralyzes the kernel due to some bug -- the machine is running natd and is the gateway for the rest of the network... The hangs could, of course, be caused by something else entirely, but my self-defense mechanism is my first suspect... Any comments? Thanks! Yes, I have quite a few comments on this matter: The above looks like sshguard. I've personally never trusted something that *automatically* adjusts firewall rules based on data read from text logs or packets coming in off the Internet. The risks involved are insanely high. Stop for a moment and think what would happen to your box if a distributed brute-force attack (e.g. 300,000 different IPs) was launched against it; someone executing 20-30 SSH login attempts per IP. I'm willing to bet adding 300,000 individual ipfw entries would cause some serious havok on your machine (speculative: exhausted kernel memory, or at a bare minimum, exhaust the number of remaining ipfw rule entries) And yes, the liklihood of someone doing this is quite high. Try re-thinking your firewall logic. Instead of allow any, deny specific IPs dynamically, how about allow specific IPs, deny all others? Surely you don't have that many users who SSH into the NAT router from random public IPs all over the world, rather than via the LAN? Surely if you yourself often SSH into your NAT router from a Blackberry device, that you wouldn't have much of a problem adding a /19 to the allow list. That's a hell of a lot better than allowing 0/0 and denying individual /32s. A different approach: consider putting sshd on a different port, rather than the default of 22. A lot of people I know do this, solely to decrease the number of brute-force attempts you see above; I've never seen any of those brute-force attacking programs portscan, then attack against a port which returns a OpenSSH string. Finally, consider moving to pf instead, if you really feel ipfw is what's causing your machine to crash. You might be pleasantly surprised by the syntax, and overall administrative usability (it is significantly superior to ipfw, IMHO). -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
Mikhail Teterin pisze: Hello! A machine I manage remotely for a friend comes under a distributed ssh break-in attack every once in a while. Annoyed (and alarmed) by the messages like: Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 I wrote an awk-script, which adds a block of the attacking IP-address to the ipfw-rules after three such invalid user attempts with: ipfw add 550 deny ip from ip The script is fed by syslogd directly -- through a syslog.conf rule (|/opt/sbin/auth-log-watch). Hi, You should look at 'bruteblock' (ports/security), it has similar fuctionality. It also provides daemon process, bruteblockd, which is responsible for removing entries from ipfw table. Best regards, -- _/_/ .. Eugene Butusov _/_/ ... www.devilka.info _/_/ ebutusov(at)gmail(dot)com ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
On Thu, Aug 21, 2008 at 01:03:09PM -0700, Jeremy Chadwick wrote: Finally, consider moving to pf instead, if you really feel ipfw is what's causing your machine to crash. You might be pleasantly surprised by the syntax, and overall administrative usability (it is significantly superior to ipfw, IMHO). In fact, pf can already do this out-of-the-box, by doing something like: table sshlusers persist pass quick on $wan_if proto tcp from any to any port ssh flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 5/3, overload sshlusers flush global) If that is not an option, I have found that security/denyhosts works pretty well too (it just adds IP's to /etc/hosts.deniedssh, and host_access(5) denies them based on this) Regards, -- Rink P.W. Springer- http://rink.nu Anyway boys, this is America. Just because you get more votes doesn't mean you win. - Fox Mulder ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
Jeremy Chadwick написав(ла): The above looks like sshguard. Yes, several people have pointed this out. Thanks! I've personally never trusted something that *automatically* adjusts firewall rules based on data read from text logs or packets coming in off the Internet. The risks involved are insanely high. An IP participating in a detected attack like this one, may also be the source of another problem, which may not be detected... I can't afford to monitor this system at all times, hence the reliance on automatic defenses -- better to crash/reboot than be taken over... Stop for a moment and think what would happen to your box if a distributed brute-force attack (e.g. 300,000 different IPs) was launched against it; someone executing 20-30 SSH login attempts per IP. I'm willing to bet adding 300,000 individual ipfw entries would cause some serious havok on your machine (speculative: exhausted kernel memory, or at a bare minimum, exhaust the number of remaining ipfw rule entries) Yes, this is something I'm suspecting happening. But should not there be some frantic messages, when the system is getting closer to this point? There is nothing in the logs... Surely you don't have that many users who SSH into the NAT router from random public IPs all over the world, rather than via the LAN? Surely if you yourself often SSH into your NAT router from a Blackberry device, that you wouldn't have much of a problem adding a /19 to the allow list. That's a hell of a lot better than allowing 0/0 and denying individual /32s. Myself -- and the owner of the box -- travel quite a bit, ssh-ing home from anywhere in the world. Although we could, I suppose, find out the destination-country's IP-allocation and add it before leaving, that would be quite tedious to manage... A different approach: consider putting sshd on a different port, rather than the default of 22. A lot of people I know do this, solely to decrease the number of brute-force attempts you see above; I've never seen any of those brute-force attacking programs portscan, then attack against a port which returns a OpenSSH string. That's sounds kinda lame -- and temporary... Like buying an SUV to be higher (and heavier) than other cars, this only works, until everyone has an SUV :-) Once enough people move their sshd to different ports, the next release of the ssh-attack will be doing the portscanning, no doubt... Essential liberty vs. temporary security and all that :) Finally, consider moving to pf instead, if you really feel ipfw is what's causing your machine to crash. You might be pleasantly surprised by the syntax, and overall administrative usability (it is significantly superior to ipfw, IMHO). Thanks for the suggestion... But would this solve the suspected problems with kernel memory exhaustion, etc.? Whatever the firewall method, it still needs to keep the rules memorized somewhere... Yours, -mi ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
On Thu, Aug 21, 2008 at 10:10:42PM +0200, Rink Springer wrote: On Thu, Aug 21, 2008 at 01:03:09PM -0700, Jeremy Chadwick wrote: Finally, consider moving to pf instead, if you really feel ipfw is what's causing your machine to crash. You might be pleasantly surprised by the syntax, and overall administrative usability (it is significantly superior to ipfw, IMHO). In fact, pf can already do this out-of-the-box, by doing something like: table sshlusers persist pass quick on $wan_if proto tcp from any to any port ssh flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 5/3, overload sshlusers flush global) If that is not an option, I have found that security/denyhosts works pretty well too (it just adds IP's to /etc/hosts.deniedssh, and host_access(5) denies them based on this) You almost certainly don't want to rate limit ssh connections, only failed ones. If you rate limit connections and use svn, you're likely to lock your self out. -- Brooks pgpCGEoUtGw9W.pgp Description: PGP signature
Re: machine hangs on occasion - correlated with ssh break-in attempts
Kevin Oberman wrote: Date: Thu, 21 Aug 2008 13:38:38 -0400 From: Mikhail Teterin [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Hello! A machine I manage remotely for a friend comes under a distributed ssh break-in attack every once in a while. Annoyed (and alarmed) by the messages like: Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 I wrote an awk-script, which adds a block of the attacking IP-address to the ipfw-rules after three such invalid user attempts with: ipfw add 550 deny ip from ip The script is fed by syslogd directly -- through a syslog.conf rule (|/opt/sbin/auth-log-watch). Once in a while I manually flush these rules... I this a good (safe) reaction? I'm asking, because the machine (currently running 7.0 as of July 7) hangs solid once every few weeks... My only guess is that a spike in attacks causes too many ipfw-entries created, which paralyzes the kernel due to some bug -- the machine is running natd and is the gateway for the rest of the network... The hangs could, of course, be caused by something else entirely, but my self-defense mechanism is my first suspect... Any comments? Thanks! also, if you do this, have a single rule that uses a table and add the addresses to the table. Looks remarkably like sshguard (ports/security/sshguard-*). It does almost exactly what you are doing but is written in C and has command-line switches to set how long a system is blocked, how many attempts constitute an attack and how long it should remember failed attempts. It also allows the use of back-end scripts if you want it to do something else such as generate reports (beyond an entry in /var/log/messages). As far as the hangs, I don't believe it is from the large nu,ber of brute force attempts as they will stop for a given host as soon as the firewall is updated. I seldom see more than a handful of attack sources over any short period. Should you want to continue with your own tool, at least for IPv4, consider using tables rather than a raft of rules. With tables, you need only a single rule and it is there at boot time. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
I do something related to this with fwlogwatch although it can probably
be adapted to any similar tool; when I hit the 'block' threshold, I
execute something like:
#!/bin/sh
HR=`date +%-k`
/sbin/ipfw table 0 add $3 ${HR}
.. so each entry has a tag indicating the hour at which the block was
initiated.
At 5 to the hour, I run a simple cron job which does this to clean out
everything older than 24 hours ..
#!/bin/sh
HR=`date -v+1H +%-k`
/sbin/ipfw table 0 list /tmp/xx.$$
cat /tmp/xx.$$ |
while read LINE
do
set $LINE
case $2 in
${HR})
/sbin/ipfw table 0 delete $1
echo -n `date +%H:%M:%S` /var/log/fwlw_clean_log
echo fwlw_clean: removed $1 from table 0
/var/log/fwlw_clean_log
esac
done
rm /tmp/xx.$$
I also have a script in /usr/local/etc/rc.d which saves the current
state in the event of an orderly shutdown and restores it on boot:
#!/bin/sh
case $1 in
start)
cat /var/db/ipfw/cache0 | while read LINE
do
set $LINE
/sbin/ipfw table 0 add $1 $2
done
;;
stop)
/sbin/ipfw table 0 list /var/db/ipfw/cache0
;;
restart)
$0 $DEBUG stop
$0 $DEBUG start
exit $?
;;
*)
echo Usage: $0 {start|stop|restart}
exit 1
;;
esac
exit 0
Of course, this only works for ipv4 because of the restriction on the
ipfw table data but it's just an example,
Michael
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
Ross Wheeler написав(ла): I overcame these conflicting requirements with a 2-step process. They authorised user first browsed to a website which asked their username and password. When entered correctly, it opened a hole in the firewall to allow that IP to their network. A timer ran every 15 minutes to close the hole (but was over-ridden by the web page which kept refreshing every 10 mins). The last part may not be necessary for you, but this may be a possible workaround for your traveling access. Leave a default of deny any except from trusted, fixed hosts, and add transient access as required. This approach (or port-knocking of some sort) is good, but I'm not that worried about the sshd itself -- and the /detected/ attacks against it. It is the /undetected/ attacks against other services (such as apache), that worry me, and locking-out a rogue IP-address /completely/ is what I'd like to do. So your method would not work for me -- reaching the web-page (to allow myself a way back in) will be just as impossible as reaching the ssh-port... Thanks. Yours, -mi ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
On Thu, 21 Aug 2008, Mikhail Teterin wrote: Surely you don't have that many users who SSH into the NAT router from random public IPs all over the world, rather than via the LAN? Surely if you yourself often SSH into your NAT router from a Blackberry device, that you wouldn't have much of a problem adding a /19 to the allow list. That's a hell of a lot better than allowing 0/0 and denying individual /32s. Myself -- and the owner of the box -- travel quite a bit, ssh-ing home from anywhere in the world. Although we could, I suppose, find out the destination-country's IP-allocation and add it before leaving, that would be quite tedious to manage... One of my clients used to have a microwave link from my network to their office - and they were totally paranoid about remote access yet needed live IPs fr other reasons. They too needed frequent remote access from arbitary addresses. I overcame these conflicting requirements with a 2-step process. They authorised user first browsed to a website which asked their username and password. When entered correctly, it opened a hole in the firewall to allow that IP to their network. A timer ran every 15 minutes to close the hole (but was over-ridden by the web page which kept refreshing every 10 mins). The last part may not be necessary for you, but this may be a possible workaround for your traveling access. Leave a default of deny any except from trusted, fixed hosts, and add transient access as required. (The system did fail where your browser was proxied, but I catered for that for the network guys by lettig them enter an IP address to open along with their user/pass - it just defaulted to the requesting host to make it easy) YMMV. RossW ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
There are many excellent suggestions on how to deal with invalid/unauthorised
access attempts via ssh. I'd used sshguard for around 8 months but recently
changed to bruteblock, both are in the ports/security. sshguard was very easy
to configure, via rc.conf arguments. Bruteblock handled the same problem
more elegantly: uses two processes one for monitoring audit.log, via a pipe and
one for maintaining the ipfw table entries, it uses the ipfw table value with
the date/time entered, and the C code is cleaner (some optimisations are
possible but this is V0.5).
If you'd like to try it here are the steps I used to get it going:
Install package
Configure /usr/local/etc/bruteblock-ssh.conf (Using regexp
from sample, but modify parameters to suite your environment.)
regexp =
sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
regexp1 =
sshd.*Failed password for (?:illegal user )?\S+ from
(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
# three failures in 3 minutes is blocked for a day, using ipfw2 table
10max_count = 3
within_time = 180
reset_ip = 86400
ipfw2_table_no = 10
Insert into /etc/syslog.conf
auth.info;authpriv.info |exec /usr/local/sbin/bruteblock –f
/usr/local/etc/bruteblock-ssh.conf
Add to firewall rules (and /etc/rc.firewall)ipfw add 4 deny ip from table\(10\)
to any
ipfw add 4 deny ip from any to table\(10\) Add into
/etc/rc.confbruteblockd_enable=YES
bruteblockd_table=10
bruteblockd_flags=-s 7200 # How frequently to review the ipfw table for
entry removal Now restart syslog, and start bruteblockd/etc/rc.d/syslogd restart
/usr/local/etc/rc.d/bruteblockd.sh start
Win a MacBook Air or iPod touch with Yahoo!7.
http://au.docs..yahoo.com/homepageset
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
On Thu, 21 Aug 2008 13:03:09 -0700
Jeremy Chadwick [EMAIL PROTECTED] wrote:
A different approach: consider putting sshd on a different port, rather
than the default of 22. A lot of people I know do this, solely to
decrease the number of brute-force attempts you see above; I've never
seen any of those brute-force attacking programs portscan, then attack
against a port which returns a OpenSSH string.
+1 - obscurity definitely doesn't ADD to security , but it removes all the
noise from your system.
Alternatively, you try port knocking ;)
Finally, consider moving to pf instead, if you really feel ipfw is
what's causing your machine to crash. You might be pleasantly surprised
by the syntax, and overall administrative usability (it is significantly
superior to ipfw, IMHO).
+1
_
{Beto|Norberto|Numard} Meijome
If Bill Gates had a dollar for every time a Windows box crashed...
.. Oh, wait a minute, he already does.
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: machine hangs on occasion - correlated with ssh break-in attempts
On Thu, 21 Aug 2008 16:28:05 -0400
Mikhail Teterin [EMAIL PROTECTED] wrote:
Myself -- and the owner of the box -- travel quite a bit, ssh-ing home
from anywhere in the world.
why not setup a SSL-based vpn ? lock everything down except the port of the
vpn. try openvpn.
Although we could, I suppose, find out the
destination-country's IP-allocation and add it before leaving, that
would be quite tedious to manage...
geoip attached to pf rules :P has anyone done it? But I can tell you it isn't
that reliable...you want to have a way to bypass it.
b
_
{Beto|Norberto|Numard} Meijome
Why do you sit there looking like an envelope without any address on it?
Mark Twain
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
