On 04/16/2010 05:18, krad wrote:
> On 16 April 2010 09:39, David Xu <davi...@freebsd.org> wrote:
>
>> Jeremy Lea wrote:
>>
>>> Hi,
>>>
>>> This is off topic to this list, but I dont want to subscribe to -chat
>>> just to post there... Someone is currently running a distributed SSH
>>> attack against one of my boxes - one attempted login for root every
>>> minute or so for the last 48 hours. They wont get anywhere, since the
>>> box in question has no root password, and doesn't allow root logins via
>>> SSH anyway...
>>>
>>> But I was wondering if there were any security researchers out there
>>> that might be interested in the +-800 IPs I've collected from the
>>> botnet? The resolvable hostnames mostly appear to be in Eastern Europe
>>> and South America - I haven't spotted any that might be 'findable' to
>>> get the botnet software.
>>>
>>> I could switch out the machine for a honeypot in a VM or a jail, by
>>> moving the host to a new IP, and if you can think of a way of allowing
>>> the next login to succeed with any password, then you could try to see
>>> what they delivered... But I don't have a lot of time to help.
>>>
>>> Regards,
>>> -Jeremy
>>>
>>>
>> Try to change SSH port to something other than default port 22,
>> I always did this for my machines, e.g, change them to 13579 :-)
>>
>> Regards,
>> David Xu
>> _______________________________________________
>> freebsd-hackers@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>> To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
>>
>
> dont allow password auth, tcp wrap it, and acl it with pf. Probably more
> stuff you can do. Think onions
Not allowing password auth also means turning off PAM authentication for
logins with openssh and has the resulting effect utmp not being updated
among other things. Be sure you want to go this route.
tcpwrap it ? that is unneeded. The moment you start configuring
hosts.allow your system is going to be sending requests for ident. Its a
bad idea with all the other options that are available.
pf (GREAT IDEA!) I use the following for example on a home box to limit
the exposure to attacks.
shports="ssh"
table <blacklist> file "/etc/pf/tables/blacklist"
... some other rules ...
block log quick from <blacklist> label "Blacklisted"
.... some more rules ...
pass in log quick proto { tcp } from any port >1024 to any port \
{ $shports } label "SSH/Login:$dstport" keep state (max-src-conn \
5, max-src-conn-rate 15/30 overload <blacklist> flush global)
pass out all label "Implicit"
Soon as a offender violates this they end up in the blacklist which I
run <below url> on every 3 hours to save to the file listed in the table
store above:
http://tinyurl.com/29y4zdh
Good luck.
--
jhell
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
