too many illegal connection attempts through ssh

[Edwin D. Vinas]

hello,

shown below is snapshot of too many illegal attempts to login to my
server from a suspicious hacker. this is taken from the
"/var/log/auth.log". my question is, how do i automatically block an
IP address if it is attempting to guess my login usernames? can i
configure the firewall to check the instances a certain IP has
attempted to access/ssh the sevrer, and if it has failed to login for
about "x" number of attempts, it will be blocked automatically?

thank you in advance!

-edwin


Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over due to size>100K
Mar 26 22:49:29 pawikan sshd[66637]: Illegal user test from 211.176.33.46
Mar 26 22:49:32 pawikan sshd[66639]: Illegal user guest from 211.176.33.46
Mar 26 22:49:35 pawikan sshd[66641]: Illegal user admin from 211.176.33.46
Mar 26 22:49:37 pawikan sshd[66643]: Illegal user admin from 211.176.33.46
Mar 26 22:49:40 pawikan sshd[66645]: Illegal user user from 211.176.33.46
Mar 26 22:49:50 pawikan sshd[66654]: Illegal user test from 211.176.33.46
Mar 27 02:50:12 pawikan sshd[69369]: Illegal user test from 210.0.141.89
Mar 27 02:50:14 pawikan sshd[69463]: Illegal user guest from 210.0.141.89
Mar 27 02:50:15 pawikan sshd[69650]: Illegal user admin from 210.0.141.89
Mar 27 02:50:17 pawikan sshd[69745]: Illegal user admin from 210.0.141.89
Mar 27 02:50:18 pawikan sshd[69858]: Illegal user user from 210.0.141.89
Mar 27 02:50:24 pawikan sshd[70319]: Illegal user test from 210.0.141.89
Mar 27 04:10:58 pawikan sshd[5171]: Illegal user test from 218.188.9.202
Mar 27 04:10:59 pawikan sshd[5173]: Illegal user guest from 218.188.9.202
Mar 27 04:11:00 pawikan sshd[5175]: Illegal user admin from 218.188.9.202
Mar 27 04:11:01 pawikan sshd[5190]: Illegal user admin from 218.188.9.202
Mar 27 04:11:02 pawikan sshd[5192]: Illegal user user from 218.188.9.202
Mar 27 04:11:07 pawikan sshd[5200]: Illegal user test from 218.188.9.202
Mar 27 12:13:21 pawikan sshd[9236]: Did not receive identification
string from 61.59.143.27
Mar 27 12:23:03 pawikan sshd[13482]: Illegal user jordan from 61.59.143.27
Mar 27 12:23:07 pawikan sshd[13484]: Illegal user michael from 61.59.143.27
Mar 27 12:23:11 pawikan sshd[13486]: Illegal user nicole from 61.59.143.27
Mar 27 12:23:14 pawikan sshd[13488]: Illegal user daniel from 61.59.143.27
Mar 27 12:23:18 pawikan sshd[13490]: Illegal user andrew from 61.59.143.27
Mar 27 12:23:21 pawikan sshd[13492]: Illegal user nathan from 61.59.143.27
Mar 27 12:23:25 pawikan sshd[13494]: Illegal user matthew from 61.59.143.27
Mar 27 12:23:29 pawikan sshd[13496]: Illegal user magic from 61.59.143.27
Mar 27 12:23:33 pawikan sshd[13498]: Illegal user lion from 61.59.143.27
Mar 27 12:23:37 pawikan sshd[13500]: Illegal user david from 61.59.143.27
Mar 27 12:23:41 pawikan sshd[13502]: Illegal user jason from 61.59.143.27
Mar 27 12:23:45 pawikan sshd[13504]: Illegal user ben from 61.59.143.27
Mar 27 12:23:49 pawikan sshd[13506]: Illegal user carmen from 61.59.143.27
Mar 27 12:23:53 pawikan sshd[13510]: Illegal user justin from 61.59.143.27
Mar 27 12:23:57 pawikan sshd[13512]: Illegal user charlie from 61.59.143.27
Mar 27 12:24:02 pawikan sshd[13514]: Illegal user steven from 61.59.143.27
Mar 27 12:24:06 pawikan sshd[13517]: Illegal user brandon from 61.59.143.27
Mar 27 12:24:09 pawikan sshd[13519]: Illegal user brian from 61.59.143.27
Mar 27 12:24:13 pawikan sshd[13521]: Illegal user stephen from 61.59.143.27
Mar 27 12:24:17 pawikan sshd[13523]: Illegal user william from 61.59.143.27
Mar 27 12:24:21 pawikan sshd[13525]: Illegal user angel from 61.59.143.27
Mar 27 12:24:27 pawikan sshd[13527]: Illegal user emily from 61.59.143.27
Mar 27 12:24:31 pawikan sshd[13529]: Illegal user eric from 61.59.143.27
Mar 27 12:24:36 pawikan sshd[13531]: Illegal user joe from 61.59.143.27
Mar 27 12:24:39 pawikan sshd[13533]: Illegal user tom from 61.59.143.27
Mar 27 12:24:43 pawikan sshd[13535]: Illegal user billy from 61.59.143.27
Mar 27 12:24:47 pawikan sshd[13537]: Illegal user buddy from 61.59.143.27
Mar 27 12:24:50 pawikan sshd[13540]: Illegal user jeremy from 61.59.143.27
Mar 27 12:24:54 pawikan sshd[13542]: Illegal user vampire from 61.59.143.27
Mar 27 12:24:57 pawikan sshd[13544]: Illegal user betty from 61.59.143.27
Mar 27 12:25:00 pawikan sshd[13546]: Illegal user henry from 61.59.143.27
Mar 27 12:25:04 pawikan sshd[13749]: Illegal user max from 61.59.143.27
Mar 27 12:25:07 pawikan sshd[14024]: Illegal user nicholas from 61.59.143.27
Mar 27 12:25:11 pawikan sshd[14336]: Illegal user robin from 61.59.143.27
Mar 27 12:25:15 pawikan sshd[14644]: Illegal user system from 61.59.143.27
Mar 27 12:25:18 pawikan sshd[14904]: Illegal user johnny from 61.59.143.27
Mar 27 12:25:22 pawikan sshd[15221]: Illegal user lucy from 61.59.143.27
Mar 27 12:25:26 pawikan sshd[15521]: Illegal user market from 61.59.143.27
Mar 27 12:25:32 pawikan sshd[15673]: Illegal user lp from 61.59.143.27
Mar 27 12:25:37 pawikan sshd[15675]: Illegal user maria from 61.59.143.27
Mar 27 12:2

Re: too many illegal connection attempts through ssh

[Joshua Tinnin]

On Wednesday 06 April 2005 00:15, "Edwin D. Vinas" <[EMAIL PROTECTED]> 
wrote:
> hello,
>
> shown below is snapshot of too many illegal attempts to login to my
> server from a suspicious hacker. this is taken from the
> "/var/log/auth.log". my question is, how do i automatically block an
> IP address if it is attempting to guess my login usernames?

The easiest way to fix this problem most of the time is just change the 
ssh port to something else, like a high numbered port that's otherwise 
unassigned.

> can i 
> configure the firewall to check the instances a certain IP has
> attempted to access/ssh the sevrer, and if it has failed to login for
> about "x" number of attempts, it will be blocked automatically?

Yes, the best way to deal with this is through the firewall rather than 
sshd, if you still get people hammering away at your ssh port even 
after you change it. What are you using? You might want to check in 
chapter 24 of the handbook ...

- jt
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: too many illegal connection attempts through ssh

[Rob]

Edwin D. Vinas wrote:
> hello,
> 
> shown below is snapshot of too many illegal
> attempts to login to my server from a suspicious
> hacker. this is taken from the "/var/log/auth.log".
> my question is, how do i automatically block an
> IP address if it is attempting to guess my login
> usernames? can i configure the firewall to check
> the instances a certain IP has

My solution is not full proof, but appears to be good
enough to stop these bulk attacks on my server. I use
a combination of firewall & alternative sshd port.

For example, in /etc/rc.conf, I have:
  sshd_enable="YES"
  sshd_flags="-p 22 -p 1234"

(choose 1234 whatever alternative port number you
prefer)

Then add two tcp rules to your firewall:

 ipfw add allow log tcp from 55.44.33.22/11 to \
  ${oip} ssh in via ${oif} setup
 ipfw add allow log tcp from any to ${oip} 1234 \
 in via ${oif} setup

where "55.44.33.22/11" represents your, more or less,
trusted nearby network, ${oip} your outbound IP and
${oif} your outbound interface (e.g. rl0).
I suppose you're familiar enough with firewall rules.

These firewall rules allow 'regular' ssh connections
only from within your nearby network; all other
parties must connect over the alternative port number,
1234 in this example.

Regards,
Rob.



__ 
Do you Yahoo!? 
Yahoo! Sports - Sign up for Fantasy Baseball. 
http://baseball.fantasysports.yahoo.com/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: too many illegal connection attempts through ssh

[Erik Nørgaard]

Edwin D. Vinas wrote:
shown below is snapshot of too many illegal attempts to login to my
server from a suspicious hacker. this is taken from the
"/var/log/auth.log". my question is, how do i automatically block an
IP address if it is attempting to guess my login usernames? can i
configure the firewall to check the instances a certain IP has
attempted to access/ssh the sevrer, and if it has failed to login for
about "x" number of attempts, it will be blocked automatically?
This question is asked on the list ever so often - see the archives for 
suggestions. These are automated attacks, they come regularly as 
crackers, black hats or script kidies scan across the net.

You can avoid the automated scanning by chaning port, but this won't 
stop the determined cracker - he will scan all your ports and identify 
which services are running on which ports.

Ask yourself a few questions:
* Do you need to allow ssh from anywhere? If not, restrict to the
  relevant ip blocks.
* Do you need to allow password based authentication? If not, disable it
  and use only ssh keys, in sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
* Do all users need to have ssh access? If not, restrict to specific
  groups of users, in sshd_config, eg:
 AllowGroups staff
* Is it a problem appart from the log messages? Trying to login with a
  nonexistent username is usually not a problem.
Other tips: Disable ssh1, reduce the number of simultaneous non-authen-
ticated connections, set timeouts etc.
Cheers, Erik
--
Ph: +34.666334818   web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: too many illegal connection attempts through ssh

[Emanuel Strobl]

Am Mittwoch, 6. April 2005 12:07 schrieb Erik Nørgaard:
> Edwin D. Vinas wrote:
> > shown below is snapshot of too many illegal attempts to login to my
> > server from a suspicious hacker. this is taken from the
> > "/var/log/auth.log". my question is, how do i automatically block an
> > IP address if it is attempting to guess my login usernames? can i
> > configure the firewall to check the instances a certain IP has
> > attempted to access/ssh the sevrer, and if it has failed to login for
> > about "x" number of attempts, it will be blocked automatically?
>
> This question is asked on the list ever so often - see the archives for
> suggestions. These are automated attacks, they come regularly as
> crackers, black hats or script kidies scan across the net.

Does anybody know what robots beeing used? And on what systems? All you 
mention later in your posting is true of course and I needn't care about 
these logs, but it's like like somebody unknown puts 10 flyers in your 
letterbox every night. I'm sure, one night you'll hide and build a trap for 
that person. I'm too lazy to enter those net-circles for finding these 
robots, but maybe some other has already done that?

-Harry

>
> You can avoid the automated scanning by chaning port, but this won't
> stop the determined cracker - he will scan all your ports and identify
> which services are running on which ports.
>
> Ask yourself a few questions:
>
> * Do you need to allow ssh from anywhere? If not, restrict to the
>relevant ip blocks.
>
> * Do you need to allow password based authentication? If not, disable it
>and use only ssh keys, in sshd_config:
>
>  PasswordAuthentication no
>  PubkeyAuthentication yes
>
> * Do all users need to have ssh access? If not, restrict to specific
>groups of users, in sshd_config, eg:
>
>   AllowGroups staff
>
> * Is it a problem appart from the log messages? Trying to login with a
>nonexistent username is usually not a problem.
>
> Other tips: Disable ssh1, reduce the number of simultaneous non-authen-
> ticated connections, set timeouts etc.
>
> Cheers, Erik


pgpo6V3WWtJqM.pgp
Description: PGP signature

Re: too many illegal connection attempts through ssh

[Joshua Tinnin]

On Wednesday 06 April 2005 06:58, Emanuel Strobl 
<[EMAIL PROTECTED]> wrote:
> Am Mittwoch, 6. April 2005 12:07 schrieb Erik Nørgaard:
> > Edwin D. Vinas wrote:
> > > shown below is snapshot of too many illegal attempts to login to
> > > my server from a suspicious hacker. this is taken from the
> > > "/var/log/auth.log". my question is, how do i automatically block
> > > an IP address if it is attempting to guess my login usernames?
> > > can i configure the firewall to check the instances a certain IP
> > > has attempted to access/ssh the sevrer, and if it has failed to
> > > login for about "x" number of attempts, it will be blocked
> > > automatically?
> >
> > This question is asked on the list ever so often - see the archives
> > for suggestions. These are automated attacks, they come regularly
> > as crackers, black hats or script kidies scan across the net.
>
> Does anybody know what robots beeing used? And on what systems? All
> you mention later in your posting is true of course and I needn't
> care about these logs, but it's like like somebody unknown puts 10
> flyers in your letterbox every night. I'm sure, one night you'll hide
> and build a trap for that person. I'm too lazy to enter those
> net-circles for finding these robots, but maybe some other has
> already done that?

It's painfully easy to write a script which checks for the existence of 
ssh on all the IPs in an IP block, at least if all you're checking is 
port 22. A lot of these guys just write a bot which does that and sends 
the "live" IPs back to someone, either the originator or another bot, 
which then will do things like dictionary attack each one. You have 
tools in ports which can serve as the vehicle to do this - nmap is an 
oldie but a goodie. Don't misunderstand - it's also a security tool. 

This type of attack is pretty old, actually, it's just now more people 
are online on bigger pipes, so there are thousands (millions?) of 
zombied computers due to the more recent trojan horses and worms which 
are unwitting accomplices to this sort of thing. It's much harder to 
trace now. All you need is a bunch of zombies, maybe a proxy or three 
and an irc bot. You have a massive scanning machine with quite a bit of 
distributed computing power, which isn't easily traceable. The way to 
avoid it is to not be an obvious target, and not allow password logins 
at all.

- jt
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: too many illegal connection attempts through ssh

[Philip Hallstrom]

shown below is snapshot of too many illegal attempts to login to
my server from a suspicious hacker. this is taken from the
"/var/log/auth.log". my question is, how do i automatically block
an IP address if it is attempting to guess my login usernames?
can i configure the firewall to check the instances a certain IP
has attempted to access/ssh the sevrer, and if it has failed to
login for about "x" number of attempts, it will be blocked
automatically?
This question is asked on the list ever so often - see the archives
for suggestions. These are automated attacks, they come regularly
as crackers, black hats or script kidies scan across the net.
Does anybody know what robots beeing used? And on what systems? All
you mention later in your posting is true of course and I needn't
care about these logs, but it's like like somebody unknown puts 10
flyers in your letterbox every night. I'm sure, one night you'll hide
and build a trap for that person. I'm too lazy to enter those
net-circles for finding these robots, but maybe some other has
already done that?
I haven't done that, but if you don't like them you can block them fairly 
easily... I wrote a little script in PHP (not that it would be hard to 
re-write in perl or whatever) that watches /var/log/auth.log and if it 
sees an invalid login, it adds a firewall rule to block that IP.

Then I've got a separate cronjob that removes those firewall rules a 
couple minutes later.

Yes, I have locked myself out of my own server when I mistype my password, 
but I just wait a minute and it lets me back in.

I thought about modifying it so instead of outright blocking it, it put 
it into a pipe that limited it's bandwidth to almost nil just to hold the 
thing up a bit, but this works for me..

http://www.pjkh.com/sshmonitor/
-philip
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: too many illegal connection attempts through ssh

[Ed Stover]

Forgive the top posting (long message) ;)
A quick way to make that crap go away is to run your ssh on a  different
port. quick, simple, effective. I used to have those "brute force"
attacks every day and fill my logs and I would go in and create and
entry that that entire Netmask in the ipfw and hosts.allow files but
that got tedious real quick. Changing the port made my life easier.
ssh -p 99 -l yournamehere 192.168.1.10

On Wed, 2005-04-06 at 07:15 +, Edwin D. Vinas wrote:
> hello,
> 
> shown below is snapshot of too many illegal attempts to login to my
> server from a suspicious hacker. this is taken from the
> "/var/log/auth.log". my question is, how do i automatically block an
> IP address if it is attempting to guess my login usernames? can i
> configure the firewall to check the instances a certain IP has
> attempted to access/ssh the sevrer, and if it has failed to login for
> about "x" number of attempts, it will be blocked automatically?
> 
> thank you in advance!
> 
> -edwin
> 
> 
> Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over due to size>100K
> Mar 26 22:49:29 pawikan sshd[66637]: Illegal user test from 211.176.33.46
> Mar 26 22:49:32 pawikan sshd[66639]: Illegal user guest from 211.176.33.46
> Mar 26 22:49:35 pawikan sshd[66641]: Illegal user admin from 211.176.33.46
> Mar 26 22:49:37 pawikan sshd[66643]: Illegal user admin from 211.176.33.46
> Mar 26 22:49:40 pawikan sshd[66645]: Illegal user user from 211.176.33.46
> Mar 26 22:49:50 pawikan sshd[66654]: Illegal user test from 211.176.33.46
> Mar 27 02:50:12 pawikan sshd[69369]: Illegal user test from 210.0.141.89
> Mar 27 02:50:14 pawikan sshd[69463]: Illegal user guest from 210.0.141.89
> Mar 27 02:50:15 pawikan sshd[69650]: Illegal user admin from 210.0.141.89
> Mar 27 02:50:17 pawikan sshd[69745]: Illegal user admin from 210.0.141.89
> Mar 27 02:50:18 pawikan sshd[69858]: Illegal user user from 210.0.141.89
> Mar 27 02:50:24 pawikan sshd[70319]: Illegal user test from 210.0.141.89
> Mar 27 04:10:58 pawikan sshd[5171]: Illegal user test from 218.188.9.202
> Mar 27 04:10:59 pawikan sshd[5173]: Illegal user guest from 218.188.9.202
> Mar 27 04:11:00 pawikan sshd[5175]: Illegal user admin from 218.188.9.202
> Mar 27 04:11:01 pawikan sshd[5190]: Illegal user admin from 218.188.9.202
> Mar 27 04:11:02 pawikan sshd[5192]: Illegal user user from 218.188.9.202
> Mar 27 04:11:07 pawikan sshd[5200]: Illegal user test from 218.188.9.202
> Mar 27 12:13:21 pawikan sshd[9236]: Did not receive identification
> string from 61.59.143.27
> Mar 27 12:23:03 pawikan sshd[13482]: Illegal user jordan from 61.59.143.27
> Mar 27 12:23:07 pawikan sshd[13484]: Illegal user michael from 61.59.143.27
> Mar 27 12:23:11 pawikan sshd[13486]: Illegal user nicole from 61.59.143.27
> Mar 27 12:23:14 pawikan sshd[13488]: Illegal user daniel from 61.59.143.27
> Mar 27 12:23:18 pawikan sshd[13490]: Illegal user andrew from 61.59.143.27
> Mar 27 12:23:21 pawikan sshd[13492]: Illegal user nathan from 61.59.143.27
> Mar 27 12:23:25 pawikan sshd[13494]: Illegal user matthew from 61.59.143.27
> Mar 27 12:23:29 pawikan sshd[13496]: Illegal user magic from 61.59.143.27
> Mar 27 12:23:33 pawikan sshd[13498]: Illegal user lion from 61.59.143.27
> Mar 27 12:23:37 pawikan sshd[13500]: Illegal user david from 61.59.143.27
> Mar 27 12:23:41 pawikan sshd[13502]: Illegal user jason from 61.59.143.27
> Mar 27 12:23:45 pawikan sshd[13504]: Illegal user ben from 61.59.143.27
> Mar 27 12:23:49 pawikan sshd[13506]: Illegal user carmen from 61.59.143.27
> Mar 27 12:23:53 pawikan sshd[13510]: Illegal user justin from 61.59.143.27
> Mar 27 12:23:57 pawikan sshd[13512]: Illegal user charlie from 61.59.143.27
> Mar 27 12:24:02 pawikan sshd[13514]: Illegal user steven from 61.59.143.27
> Mar 27 12:24:06 pawikan sshd[13517]: Illegal user brandon from 61.59.143.27
> Mar 27 12:24:09 pawikan sshd[13519]: Illegal user brian from 61.59.143.27
> Mar 27 12:24:13 pawikan sshd[13521]: Illegal user stephen from 61.59.143.27
> Mar 27 12:24:17 pawikan sshd[13523]: Illegal user william from 61.59.143.27
> Mar 27 12:24:21 pawikan sshd[13525]: Illegal user angel from 61.59.143.27
> Mar 27 12:24:27 pawikan sshd[13527]: Illegal user emily from 61.59.143.27
> Mar 27 12:24:31 pawikan sshd[13529]: Illegal user eric from 61.59.143.27
> Mar 27 12:24:36 pawikan sshd[13531]: Illegal user joe from 61.59.143.27
> Mar 27 12:24:39 pawikan sshd[13533]: Illegal user tom from 61.59.143.27
> Mar 27 12:24:43 pawikan sshd[13535]: Illegal user billy from 61.59.143.27
> Mar 27 12:24:47 pawikan sshd[13537]: Illegal user buddy from 61.59.143.27
> Mar 27 12:24:50 pawikan sshd[13540]: Illegal user jeremy from 61.59.143.27
> Mar 27 12:24:54 pawikan sshd[13542]: Illegal user vampire from 61.59.143.27
> Mar 27 12:24:57 pawikan sshd[13544]: Illegal user betty from 61.59.143.27
> Mar 27 12:25:00 pawikan sshd[13546]: Illegal user henry from 61.59.143.27
> Mar 27 12:25:04 pawikan sshd[13749]: Illegal user max fro

Re: too many illegal connection attempts through ssh

[Benjamin Rossen]

On Wed, 2005-04-06 at 07:15 +, Edwin D. Vinas wrote:
> hello,
> 
> shown below is snapshot of too many illegal attempts to login to my
> server from a suspicious hacker. this is taken from the
> "/var/log/auth.log". my question is, how do i automatically block an
> IP address if it is attempting to guess my login usernames? can i
> configure the firewall to check the instances a certain IP has
> attempted to access/ssh the sevrer, and if it has failed to login for
> about "x" number of attempts, it will be blocked automatically?
> 
> thank you in advance!
> 
> -edwin
> 
> 
> Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over ...etc.

This is one of those things we all have to live with. 

I once had the idea to start an Open Source Project for making an 
administrators' tool that would work as follows. The tool would collect these 
records and send the information to a central server. I would be willing to 
donate and administer that server. The server would then track where these 
attacks are coming from. If it becomes apparent that the attacks are coming 
from a lone idiot doing one or two amateurish crack attempts, nothing further 
need be done. On the other hand, if it becomes apparent that the source is 
making repeated attacks on many machines, then a co-ordinate message would go 
out to all administrators using the tool. This could be automated. We could 
hope that many tens of thousands of BSD administrators would be using this 
tool (on many hundreds of thousands of BSD machines). All the machines 
administered by users of this tool would then launch a concerted Denial Of 
Service attack on the cracker address. 

Now, how about that? 

Of course, we could also try to do this nicely; for example, we could send 
automated notifications to the ISPs servicing the offending machines, or to 
ICANN, or to the police and other authorities in the countries where this 
kind of behavior is illegal, and so on. However, that would certainly be 
quite ineffective, and much less fun. 

Or we could combine these strategies. We could notify the ISPs that the 
attacks are coming from one of their clients, informing them that a Tsunami 
DOS shall follow if they do not put a stop to the attacks. 

Just an idea...

Benjamin Rossen 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: too many illegal connection attempts through ssh

[Benjamin Rossen]

On Wednesday 13 April 2005 23:55, Hexren wrote:
> > Just an idea...
> 
> > Benjamin Rossen 
> 
> -
> 
> Sounds fun but opens the door for every local user with ssh access to
> DOS the machine he is on. I am not that found of the idea.

Not at all. Let us say that a trusted authority were to operate the central 
server. The central server would not authorize a coordinated defensive DOS 
unless there were to be evidence that the cracker had been attacking many 
machines - perhaps the criterion could be framed to trigger a defensive DOS 
only if it were established that the cracker had been attacking many 
disparate machines in different parts of the world. 

Who is tracking this kind of thing centrally? No one. When you find that 
someone is trying to get into one of your servers you have no idea of what 
else that individual may be doing. A central trusted authority would know. 

Benjamin Rossen 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re[2]: too many illegal connection attempts through ssh

[Daniel Gerzo]

Hi Ed,

Wednesday, April 13, 2005, 10:46:07 PM, you wrote these comments:

> Forgive the top posting (long message) ;)
> A quick way to make that crap go away is to run your ssh on a  different
> port. quick, simple, effective. I used to have those "brute force"
> attacks every day and fill my logs and I would go in and create and
> entry that that entire Netmask in the ipfw and hosts.allow files but
> that got tedious real quick. Changing the port made my life easier.
> ssh -p 99 -l yournamehere 192.168.1.10

or, if Edwin uses pf, he can use my bruteforceblocker.pl, which is
daemonized process that checks for these login attempts and ads given
IPs to the pf's table.

it's located at:

http://danger.rulez.sk/projects/bruteforceblocker/

PS: it seems like Edwin will have to little bit adjust the regexp in
my script, since my regexp checks for Failed password attempts, but to
do so is trivial thing...

> On Wed, 2005-04-06 at 07:15 +, Edwin D. Vinas wrote:
>> hello,
>> 
>> shown below is snapshot of too many illegal attempts to login to my
>> server from a suspicious hacker. this is taken from the
>> "/var/log/auth.log". my question is, how do i automatically block an
>> IP address if it is attempting to guess my login usernames? can i
>> configure the firewall to check the instances a certain IP has
>> attempted to access/ssh the sevrer, and if it has failed to login for
>> about "x" number of attempts, it will be blocked automatically?
>> 
>> thank you in advance!
>> 
>> -edwin
>> 
>> 
>> Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over due to 
>> size>100K
>> Mar 26 22:49:29 pawikan sshd[66637]: Illegal user test from 211.176.33.46
>> Mar 26 22:49:32 pawikan sshd[66639]: Illegal user guest from 211.176.33.46
>> Mar 26 22:49:35 pawikan sshd[66641]: Illegal user admin from 211.176.33.46

-- 
Best Regards,

+--==/\/\==--+   (__)  FreeBSD
|  DanGer <[EMAIL PROTECTED]>  |\\\'',)  The
| [EMAIL PROTECTED] ICQ261701668 |  \/  \ ^Power
|   http://danger.rulez.sk   |  .\._/_)To
+--==\/\/==--+ Serve

[ Oh, what is it now? Can't you leave me in Peace? - Basil Fawlty ]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re[2]: too many illegal connection attempts through ssh

[Hexren]

> On Wed, 2005-04-06 at 07:15 +, Edwin D. Vinas wrote:
>> hello,
>> 
>> shown below is snapshot of too many illegal attempts to login to my
>> server from a suspicious hacker. this is taken from the
>> "/var/log/auth.log". my question is, how do i automatically block an
>> IP address if it is attempting to guess my login usernames? can i
>> configure the firewall to check the instances a certain IP has
>> attempted to access/ssh the sevrer, and if it has failed to login for
>> about "x" number of attempts, it will be blocked automatically?
>> 
>> thank you in advance!
>> 
>> -edwin
>> 
>> 
>> Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over ...etc.

> This is one of those things we all have to live with. 

> I once had the idea to start an Open Source Project for making an 
> administrators' tool that would work as follows. The tool would collect these 
> records and send the information to a central server. I would be willing to 
> donate and administer that server. The server would then track where these 
> attacks are coming from. If it becomes apparent that the attacks are coming 
> from a lone idiot doing one or two amateurish crack attempts, nothing further 
> need be done. On the other hand, if it becomes apparent that the source is 
> making repeated attacks on many machines, then a co-ordinate message would go 
> out to all administrators using the tool. This could be automated. We could 
> hope that many tens of thousands of BSD administrators would be using this 
> tool (on many hundreds of thousands of BSD machines). All the machines 
> administered by users of this tool would then launch a concerted Denial Of 
> Service attack on the cracker address. 

> Now, how about that? 

> Of course, we could also try to do this nicely; for example, we could send 
> automated notifications to the ISPs servicing the offending machines, or to 
> ICANN, or to the police and other authorities in the countries where this 
> kind of behavior is illegal, and so on. However, that would certainly be 
> quite ineffective, and much less fun. 

> Or we could combine these strategies. We could notify the ISPs that the 
> attacks are coming from one of their clients, informing them that a Tsunami 
> DOS shall follow if they do not put a stop to the attacks. 

> Just an idea...

> Benjamin Rossen 

-

Sounds fun but opens the door for every local user with ssh access to
DOS the machine he is on. I am not that found of the idea.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Self Defense thourg DoS... ? (was: too many illegal connection attempts through ssh)

[Hexren]

> On Wednesday 13 April 2005 23:55, Hexren wrote:
>> > Just an idea...
>> 
>> > Benjamin Rossen 
>> 
>> -
>> 
>> Sounds fun but opens the door for every local user with ssh access to
>> DOS the machine he is on. I am not that found of the idea.

> Not at all. Let us say that a trusted authority were to operate the central 
> server. The central server would not authorize a coordinated defensive DOS 
> unless there were to be evidence that the cracker had been attacking many 
> machines - perhaps the criterion could be framed to trigger a defensive DOS 
> only if it were established that the cracker had been attacking many 
> disparate machines in different parts of the world. 

> Who is tracking this kind of thing centrally? No one. When you find that 
> someone is trying to get into one of your servers you have no idea of what 
> else that individual may be doing. A central trusted authority would know. 

> Benjamin Rossen 


-

"Central _trusted_ authority" leaves a bitter taste in my mouth... but
then I may be paranoid.
Anyway if I am a local user on a machine and I have access to an ssh
binary (that is what I meant with "ssh access") and bash, I can churn out 
connections
with the only limit beeing my bandwith and system limits on the number
of processes I can run at one time. But even with these set to
sensible defaults say 10 processes and 1/10 of site bw. I am able to
"attack many disparate machines in different parts of the world"
therefore I am able to trigger a _defensive_ DoS against the machine
in that I am.

Regards
Hexren

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Self Defense thourg DoS... ? (was: too many illegal connection attempts through ssh)

[Benjamin Rossen]

On Thursday 14 April 2005 00:30, Hexren wrote:
> "Central _trusted_ authority" leaves a bitter taste in my mouth... but
> then I may be paranoid.
> Anyway if I am a local user on a machine and I have access to an ssh
> binary (that is what I meant with "ssh access") and bash, I can churn out 
connections
> with the only limit beeing my bandwith and system limits on the number
> of processes I can run at one time. But even with these set to
> sensible defaults say 10 processes and 1/10 of site bw. I am able to
> "attack many disparate machines in different parts of the world"
> therefore I am able to trigger a _defensive_ DoS against the machine
> in that I am.
> 
> Regards
> Hexren
>
Hexren, 

I get your point. It is a very good point. Economists call that 'moral 
hazard', by which they mean that any system instituted to protect against one 
evil, can be recruited by a some individuals to bring about another 
inforeseen evil. The question then becomes; which is the greater evil? 

How may people who are local users and have access to ssh, are going to want 
to use defensive DOS to bring down the machine they are on? Surely, if they 
have these privileges, there are countless easier and more direct ways of 
bringing down their own machines. Even if there are some situations where the 
porposed system of defensive DOS can be used in this way, is the evil that 
results from these remote suicides worse that the evil that results from the 
crackers who are presently not checked in any way? 

Trusted authorities are a necessary feature of life in the real word, but 
there should be checks and balances in place. The word 'trusted' implies 
that. They are not just Statutory Authorities, or Powerful Forces. They are 
trusted by some one or some group, or the majority, and perhaps universally. 
Perhaps the question here should be: who determines which authority should be 
trusted, and who monitors their exercise of authority to see that they remain 
trustworthy? 

Benjamin Rossen 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"