brute force attacks
in [FreeBSD]
|
From: Moe Trin on 21 Dec 2009 14:52 On Sun, 20 Dec 2009, in the Usenet newsgroup comp.unix.bsd.freebsd.misc, in article <44151be0-8037-4fa9-97e8-b2f2e50133ba(a)g22g2000prf.googlegroups.com>, John Rushford wrote: NOTE: Posting from groups.google.com (or some web-forums) dramatically reduces the chance of your post being seen. Find a real news server. >bob prohaska's usenet account <b...(a)www.zefox.net> wrote: >> In a related vein, is there a simple way to make sshd report the >> failures with the offending IP number first, the time stamp second >> and all else following? That would make it easy to sort and mail >> the log sections to abuse email addresses. >I gave up emailing to abuse email addresses, this took up too much of >my time. Agree - and because most of the failed logins come from 0wn3d windoze boxes on residential IPs, it's usually a waste of time, as nothing happens at the remote net. >Instead, I modified my syslog.conf to write everything login >related to a named pipe. There are a number of programs like this - I call them "Self Denial Of Service" applications. >The perl script, keeps track of invalid login attempts by IP address >and on the 3rd invalid attempt, dynamically blocks that IP with an >Ipfilter rule permanently. Blocking the IP for ten-twenty minutes is usually more than enough, and the zombie or skript kiddiez soon realize they're getting no further responce to connection attempts, and move on. When last I bothered to log such attempts (there were 2981664008 IPv4 addresses allocated/assigned by the five RIRs as of last week - my firewall allows SSH in from just 1530 of those - 2 /24 and a /22), I was seeing an average of 20 attempts an hour. What's the performance of your firewall like when it has 5-10 thousand individual 'block' rules... compared to three 'allow' and one default 'block' rules? >I also keep a white list of IP's so that I don't lock myself out :-) Why are you allowing everywhere else? World traveler who might be in Kazakhstan, Kenya, Kiribati, Korea, or Kuwait tomorrow? Old guy
From: John Rushford on 21 Dec 2009 20:31 On Dec 21, 12:52 pm, ibupro...(a)painkiller.example.tld.invalid (Moe Trin) wrote: > On Sun, 20 Dec 2009, in the Usenet newsgroup comp.unix.bsd.freebsd.misc, in > article <44151be0-8037-4fa9-97e8-b2f2e5013...(a)g22g2000prf.googlegroups.com>, > > John Rushford wrote: > > NOTE: Posting from groups.google.com (or some web-forums) dramatically > reduces the chance of your post being seen. Find a real news server. > > >bob prohaska's usenet account <b...(a)www.zefox.net> wrote: > >> In a related vein, is there a simple way to make sshd report the > >> failures with the offending IP number first, the time stamp second > >> and all else following? That would make it easy to sort and mail > >> the log sections to abuse email addresses. > >I gave up emailing to abuse email addresses, this took up too much of > >my time. > > Agree - and because most of the failed logins come from 0wn3d windoze > boxes on residential IPs, it's usually a waste of time, as nothing > happens at the remote net. > > >Instead, I modified my syslog.conf to write everything login > >related to a named pipe. > > There are a number of programs like this - I call them "Self Denial > Of Service" applications. > > >The perl script, keeps track of invalid login attempts by IP address > >and on the 3rd invalid attempt, dynamically blocks that IP with an > >Ipfilter rule permanently. > > Blocking the IP for ten-twenty minutes is usually more than enough, > and the zombie or skript kiddiez soon realize they're getting no > further responce to connection attempts, and move on. When last I > bothered to log such attempts (there were 2981664008 IPv4 addresses > allocated/assigned by the five RIRs as of last week - my firewall > allows SSH in from just 1530 of those - 2 /24 and a /22), I was > seeing an average of 20 attempts an hour. What's the performance > of your firewall like when it has 5-10 thousand individual 'block' > rules... compared to three 'allow' and one default 'block' rules? > > >I also keep a white list of IP's so that I don't lock myself out :-) > > Why are you allowing everywhere else? World traveler who might be in > Kazakhstan, Kenya, Kiribati, Korea, or Kuwait tomorrow? > > Old guy I do travel, I spent 3 weeks in the Philippines the summer before last building homes with a church group in one of the provinces. It was handy to ssh into my mail server when I could get an internet connection. I had asterisk running on it back then and used it to make phone calls to relatives in the states. So what to allow and what to block..... Currently, I have about 2300 blocked IP's in the table and have been watching it for a performance problem. Have not seen any problems thus far. I may fiddle with the script and keep track of when the rule was added and then have another script remove them after they've aged for say an hour. From what I've read, ipf version 5 has such a ttl feature but alas, it's not yet available in the base install yet. As far as using google groups is concerned, its all I can find that's free. Can you recommend a free NNTP server? regards John
From: Indi on 22 Dec 2009 00:06 On 2009-12-22, John Rushford <jjrushford(a)gmail.com> wrote: > > As far as using google groups is concerned, its all I can find that's > free. Can you > recommend a free NNTP server? > Google for eternal september (aka motzarella -- yes they spell it that way). I use news.individual.net, which is only 10 Euros (~14 USD) per year. There are many, many others out there, -- indi
From: bob prohaska's usenet account on 22 Dec 2009 00:24 John Rushford <jjrushford(a)gmail.com> wrote: > > As far as using google groups is concerned, its all I can find that's > free. Can you > recommend a free NNTP server? I've tried news.albasani.net and news.eternal-september.org, the former seems to work well. Didn't have much luck (nor try very hard) with the latter. Regarding the futility of emailing complaints of abuse, perhaps I'm being naive. However, if ISPs block traffic from compromised hosts then the owners have an incentive to improve security. Without that (admittedly small) incentive, there's nothing to limit spurious network traffic. bob prohaska
From: Moe Trin on 22 Dec 2009 20:28 On Tue, 22 Dec 2009, in the Usenet newsgroup comp.unix.bsd.freebsd.misc, in article <hgpl6a$rp7$1(a)news.albasani.net>, bob prohaska's usenet account wrote: >I've tried news.albasani.net and news.eternal-september.org, the >former seems to work well. Didn't have much luck (nor try very hard) >with the latter. A quick glance through my news spool suggests eternal-september.org may be more popular, but popularity is a personal opinion only. >Regarding the futility of emailing complaints of abuse, perhaps I'm >being naive. However, if ISPs block traffic from compromised hosts >then the owners have an incentive to improve security. Without >that (admittedly small) incentive, there's nothing to limit spurious >network traffic. Ten years ago, an abuse complaint may have gotten some results, but the odds were pretty slim. In most cases, when making a complaint to an abuse address, you got an auto-response from an Ignore-bot, and the complaint disappeared or was forwarded to Dave Null to handle it. The bean counters decided that the abuse desk/person was not adding to the company profits, and could be eliminated - recall that the complaining person was usually not a customer, but someone out there on the inter-web-thingy, and why should anyone care what they think? The vast majority of complaints came from users who were totally clueless, failed to include usable information, or complained to the wrong organization. In the 'news.admin.net-abuse.* newsgroups, the solution is frequently spoken of as "their network, their rules". The administrators of a network are within their rights to simply block any/all traffic from any host or network for what-ever reason they choose - even no reason at all. Harsh, but reality. Old guy
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: FBSD 8.10 And VirtualBox 3.1 Next: Point-to-point link without PPP on freebsd? Is it possible? |