system is under attack (what can I do more?)
Dear freebsd list, My server, which is a amd64 system running freebsd 8.0 is currently under attack from a botnet or something. Take a look at my /var/log/auth.log file: Jun 18 12:00:00 dual newsyslog[34486]: logfile turned over due to size100K Jun 18 12:00:44 dual sshd[34500]: Address 78.5.23.41 maps to 78-5-23-41-static.albacom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Jun 18 12:00:44 dual sshd[34500]: Invalid user po from 78.5.23.41 Jun 18 12:00:44 dual sshd[34500]: error: PAM: authentication error for illegal user po from 78.5.23.41 Jun 18 12:00:44 dual sshd[34500]: Failed keyboard-interactive/pam for invalid user po from 78.5.23.41 port 1 ssh2 Jun 18 12:02:17 dual sshd[34503]: Invalid user pol from 211.138.112.241 Jun 18 12:02:17 dual sshd[34503]: error: PAM: authentication error for illegal user pol from 211.138.112.241 Jun 18 12:02:17 dual sshd[34503]: Failed keyboard-interactive/pam for invalid user pol from 211.138.112.241 port 59172 ssh2 Jun 18 12:03:36 dual sshd[34506]: Invalid user polo from 210.59.145.5 Jun 18 12:03:36 dual sshd[34506]: error: PAM: authentication error for illegal user polo from 210.59.145.5 Jun 18 12:03:36 dual sshd[34506]: Failed keyboard-interactive/pam for invalid user polo from 210.59.145.5 port 56517 ssh2 Jun 18 12:04:34 dual sshd[34509]: Invalid user poning from 58.68.131.50 Jun 18 12:04:35 dual sshd[34509]: error: PAM: authentication error for illegal user poning from 58.68.131.50 Jun 18 12:04:35 dual sshd[34509]: Failed keyboard-interactive/pam for invalid user poning from 58.68.131.50 port 55580 ssh2 Jun 18 12:06:11 dual sshd[34514]: User pop from 220.191.131.209 not allowed because not listed in AllowUsers Jun 18 12:06:12 dual sshd[34514]: error: PAM: authentication error for illegal user pop from 220.191.131.209 Jun 18 12:06:12 dual sshd[34514]: Failed keyboard-interactive/pam for invalid user pop from 220.191.131.209 port 50786 ssh2 Jun 18 12:08:44 dual sshd[34517]: Invalid user popo from 92.79.130.80 Jun 18 12:08:44 dual sshd[34517]: error: PAM: authentication error for illegal user popo from 92.79.130.80 Jun 18 12:08:44 dual sshd[34517]: Failed keyboard-interactive/pam for invalid user popo from 92.79.130.80 port 34021 ssh2 Jun 18 12:08:51 dual sshd[34520]: User pop from 190.41.164.23 not allowed because not listed in AllowUsers Jun 18 12:08:52 dual sshd[34520]: error: PAM: authentication error for illegal user pop from 190.41.164.23 Jun 18 12:08:52 dual sshd[34520]: Failed keyboard-interactive/pam for invalid user pop from 190.41.164.23 port 26359 ssh2 Jun 18 12:10:30 dual sshd[34525]: Invalid user poppy from 222.68.200.116 Jun 18 12:10:31 dual sshd[34525]: error: PAM: authentication error for illegal user poppy from 222.68.200.116 Jun 18 12:10:31 dual sshd[34525]: Failed keyboard-interactive/pam for invalid user poppy from 222.68.200.116 port 56770 ssh2 Jun 18 12:11:56 dual sshd[34540]: Invalid user porno from 81.74.38.142 Jun 18 12:11:56 dual sshd[34540]: error: PAM: authentication error for illegal user porno from 81.74.38.142 Jun 18 12:11:56 dual sshd[34540]: Failed keyboard-interactive/pam for invalid user porno from 81.74.38.142 port 10478 ssh2 Jun 18 12:13:05 dual sshd[34543]: Invalid user port from 62.218.125.149 Jun 18 12:13:05 dual sshd[34543]: error: PAM: authentication error for illegal user port from 62.218.125.149 Jun 18 12:13:05 dual sshd[34543]: Failed keyboard-interactive/pam for invalid user port from 62.218.125.149 port 54959 ssh2 Jun 18 12:14:13 dual sshd[34546]: Invalid user portal from 195.5.12.170 Jun 18 12:14:13 dual sshd[34546]: error: PAM: authentication error for illegal user portal from 195.5.12.170 Jun 18 12:14:13 dual sshd[34546]: Failed keyboard-interactive/pam for invalid user portal from 195.5.12.170 port 59904 ssh2 Jun 18 12:15:53 dual sshd[34551]: Invalid user portal from 201.24.215.217 Jun 18 12:15:53 dual sshd[34551]: error: PAM: authentication error for illegal user portal from 201.24.215.217 Jun 18 12:15:53 dual sshd[34551]: Failed keyboard-interactive/pam for invalid user portal from 201.24.215.217 port 61107 ssh2 Jun 18 12:18:20 dual sshd[34554]: Invalid user pos from 211.97.71.218 Jun 18 12:18:21 dual sshd[34554]: error: PAM: authentication error for illegal user pos from 211.97.71.218 Jun 18 12:18:21 dual sshd[34554]: Failed keyboard-interactive/pam for invalid user pos from 211.97.71.218 port 53424 ssh2 Jun 18 12:19:28 dual sshd[34557]: Invalid user pos from 200.171.22.80 Jun 18 12:19:28 dual sshd[34557]: error: PAM: authentication error for illegal user pos from 200.171.22.80 Jun 18 12:19:28 dual sshd[34557]: Failed keyboard-interactive/pam for invalid user pos from 200.171.22.80 port 56309 ssh2 Jun 18 12:21:12 dual sshd[34562]: Invalid user postfix from 165.98.133.98 Jun 18 12:21:12 dual sshd[34562]: error: PAM: authentication error for illegal user postfix from up.upoli.edu.ni Jun 18 12:21:12 dual sshd[34562]: Failed keyboard-interactive/pam
Re: system is under attack (what can I do more?)
Hello, 1, maybe the line with the rule is in a bad place in the conf, but even if it's working it's possible that it wont be triggered. As far as I can see there are 30 sec interval pauses between attacks from one host. Your rule is looking for connections in 30 sec ranges. 2,You should use a program that monitors the logs, and then passes the ips after 3 unsuccessful logins to the bruteforce table. See bruteforceblocker, but there are a bunch of other programs for this. Regards, MB. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: system is under attack (what can I do more?)
On Friday 18 June 2010 13:23:27 Dino Vliet wrote: Dear freebsd list, My server, which is a amd64 system running freebsd 8.0 is currently under attack from a botnet or something. Take a look at my /var/log/auth.log file: [...] I looked at this and especially the way they seem to try different usernames (not fully random though) is quite clever. The postgres user they tried, worried me at first but fortunately I realized that postgres wasn't running on that server. I have configured the AllowUser directive in sshd_config and it only contains 2 usernames which can log in from sshd remotely. Another line of defence is my pf firewall config which has the following in it: pass in proto tcp from any to any port ssh keep state (max-src-conn 3, max-src-conn-rate 2/30, overload bruteforce flush global) However, almost none of the ip-addresses above end up in that bruteforce table. Now my questions are: 1) why doesn't ip-address 190.38.59.236 for instance isn't triggered by my pf rule? Is that because this connection stays within the limits? Should I change that, but then again, considering the attack ratewhat values would be suitable? 2) are there other things I could do? These types of ssh probes are common nowadays. Unless you have a misconfigured server you don't need to worry about users like postgres, uucp, games, bin, operator, daemon etc. because they won't have a shell configured and so won't be allowed to login. The attacks have recently started working around rate limits by only trying from a single address every few minutes. Since you're already using the AllowUsers directive I suspect you're not really at much risk, but there are a few things you could do: 1. Don't allow password authentication. It might be a bit of a hassle to set up, but it's so much simpler once it's running to authenticate via ssh keys and it stops the bots in their tracks. 2. Block IP ranges that you won't login from, or, if you know of places you will login from, only allow connections from those IP addresses. 3. Move sshd to a different port. I don't like this workaround since although it stops the attacks it's nonstandard and means you have to remember to specify the port each time you connect. -- Bruce Cran ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: system is under attack (what can I do more?)
On 6/18/2010 8:23 AM, Dino Vliet wrote: 2) are there other things I could do? Brgds Dino Look at ports/security/sshguard and ports/security/bruteblock. I use sshguard with ipfilter, but it works with pf and ipfw as well. It is very simple to set up and gets the job done. Jerry ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: system is under attack (what can I do more?)
[...] Look at ports/security/sshguard and ports/security/bruteblock. I use sshguard with ipfilter, but it works with pf and ipfw as well. It is very simple to set up and gets the job done. Jerry ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Hi just wanted to say thanks for stating this as I'm also looking for a BSD version of fail2ban which I couldn't find in the FreeBSD ports collection.. A real problem with this kind of attack is that even though brute force in nature it can also work like a DoS if the server is having to handle X amount of break-ins per second and also if multiple people are trying to hack the system at the same time, it can steal bandwidth too as let's face it not everyone has high powered enterprise grade MetroEthernet or OC12+ Trunks WAN connectivity. A lot of people are still on ADSL or even Dial-Up. Regards, Kaya ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: system is under attack (what can I do more?)
Hi, On 6/18/10 11:29 AM, Kaya Saman wrote: [...] Look at ports/security/sshguard and ports/security/bruteblock. I use sshguard with ipfilter, but it works with pf and ipfw as well. It is very simple to set up and gets the job done. Hi just wanted to say thanks for stating this as I'm also looking for a BSD version of fail2ban which I couldn't find in the FreeBSD ports collection.. security/py-fail2ban Regards, -- Glen Barber ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: system is under attack (what can I do more?)
On 18/06/2010 18:48, Glen Barber wrote: Hi, On 6/18/10 11:29 AM, Kaya Saman wrote: [...] Look at ports/security/sshguard and ports/security/bruteblock. I use sshguard with ipfilter, but it works with pf and ipfw as well. It is very simple to set up and gets the job done. Hi just wanted to say thanks for stating this as I'm also looking for a BSD version of fail2ban which I couldn't find in the FreeBSD ports collection.. security/py-fail2ban Regards, Ah.. Thanks!! :-) Regards, Kaya ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: system is under attack (what can I do more?)
On Fri, Jun 18, 2010 at 11:48:25AM -0400, Glen Barber wrote: Hi, On 6/18/10 11:29 AM, Kaya Saman wrote: [...] Look at ports/security/sshguard and ports/security/bruteblock. I use sshguard with ipfilter, but it works with pf and ipfw as well. It is very simple to set up and gets the job done. Hi just wanted to say thanks for stating this as I'm also looking for a BSD version of fail2ban which I couldn't find in the FreeBSD ports collection.. security/py-fail2ban Doesn't FreeBSD's version of pf support the overload feature? This is how we typically manage ssh bruteforce attempts in OpenBSD/pf-land. -- Jason Dixon OmniTI Computer Consulting, Inc. jdi...@omniti.com 443.325.1357 x.241 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: system is under attack (what can I do more?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kaya Saman wrote: On 18/06/2010 18:48, Glen Barber wrote: Hi, On 6/18/10 11:29 AM, Kaya Saman wrote: [...] Look at ports/security/sshguard and ports/security/bruteblock. I use sshguard with ipfilter, but it works with pf and ipfw as well. It is very simple to set up and gets the job done. Hi just wanted to say thanks for stating this as I'm also looking for a BSD version of fail2ban which I couldn't find in the FreeBSD ports collection.. security/py-fail2ban Regards, Ah.. Thanks!! :-) Regards, Kaya The make search target is useful for finding ports when you only have a keyword or name to go on: # cd /usr/ports/ # make search The search target requires a keyword parameter or name parameter, e.g.: make search key=somekeyword ormake search name=somekeyword # make name=fail2ban search Port: py26-fail2ban-0.8.4 Path: /usr/ports/security/py-fail2ban Info: scans log files and bans IP that makes too many password failures. Maint: t...@pc-tony.com B-deps: python26-2.6.5 R-deps: python26-2.6.5 WWW:http://www.fail2ban.org/wiki/index.php/Main_Page Hope that helps, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/sourcehosting/ - Follow me, follow you -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFMG5fT0sRouByUApARArz0AJ9cAxdoR9jAXdmliiEECguLYDrDbgCeJjCP /2niys4x+eXgooHg3uOf1gw= =GycM -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: system is under attack (what can I do more?)
Am 18.06.10 17:55, schrieb Jason Dixon: Doesn't FreeBSD's version of pf support the overload feature? This is how we typically manage ssh bruteforce attempts in OpenBSD/pf-land. and what you want to do if a user connects authorizied very often in lets say 10 seconds? If you work e.g. with subversion or other tunneled connection 10 connections in 5 seconds is not seldom. On pf-level you are not able to distinquish between successfull or denied connection or? Bye, Matthias -- Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning. -- Rich Cook ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: system is under attack (what can I do more?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18/06/2010 16:55:14, Jason Dixon wrote: Doesn't FreeBSD's version of pf support the overload feature? This is how we typically manage ssh bruteforce attempts in OpenBSD/pf-land. Sure it does. pf in FreeBSD 7.2+ or 8.0+ is basically the same as in OpenBSD 4.3. Overload works pretty well against bruteforcing, but some of the bruteforcers are getting wise to that sort of protection and not hitting an individual machine frequently enough to trigger the lock-out. Of course, this does mean that they are going slowly enough that they aren't eating your bandwidth or flooding your log files quite so much, but it is still annoying. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwbrFsACgkQ8Mjk52CukIyE7QCeNnNAI7Mr5qMPJJVnlS+qeetA eIAAn1+KUuNHveo6E2Pcenvb8UQrrvVG =WMxd -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: system is under attack (what can I do more?)
On 06/18/2010 06:59 PM, Greg Larkin wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kaya Saman wrote: On 18/06/2010 18:48, Glen Barber wrote: Hi, On 6/18/10 11:29 AM, Kaya Saman wrote: [...] Look at ports/security/sshguard and ports/security/bruteblock. I use sshguard with ipfilter, but it works with pf and ipfw as well. It is very simple to set up and gets the job done. Hi just wanted to say thanks for stating this as I'm also looking for a BSD version of fail2ban which I couldn't find in the FreeBSD ports collection.. security/py-fail2ban Regards, Ah.. Thanks!! :-) Regards, Kaya The make search target is useful for finding ports when you only have a keyword or name to go on: # cd /usr/ports/ # make search The search target requires a keyword parameter or name parameter, e.g.: make search key=somekeyword ormake search name=somekeyword # make name=fail2ban search Port: py26-fail2ban-0.8.4 Path: /usr/ports/security/py-fail2ban Info: scans log files and bans IP that makes too many password failures. Maint: t...@pc-tony.com B-deps: python26-2.6.5 R-deps: python26-2.6.5 WWW:http://www.fail2ban.org/wiki/index.php/Main_Page Hope that helps, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/sourcehosting/ - Follow me, follow you -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFMG5fT0sRouByUApARArz0AJ9cAxdoR9jAXdmliiEECguLYDrDbgCeJjCP /2niys4x+eXgooHg3uOf1gw= =GycM -END PGP SIGNATURE- Thanks Greg!! That is useful and will probably save me a lot of digging in the future when attempting to get other things migrated over from Linux and/or Solaris etc :-) Regards, Kaya ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org