Attacks on ssh port
Willem Jan Withagen
wjw at withagen.nl
Sat Sep 18 15:25:53 PDT 2004
David D.W. Downey wrote:
>> <>OK, was a simple suggestion. (no derogatory tone meant).
>
I'm sorry. No intentions to put you down. The suggestions you made are
very valid.
And a lot of them were already in place. Please attribute it to being
none native English
>> <>I will say
>> this much. adding each individual host that scans your machine
>> instantly to your firewall WILL end up killing your machine due to
>> lookups if this is in place during any large scan or direct port
>> attacks.
>
I also have portsentry in a rather sensitive mode doing exactly the same
thing.
Trigger one of the "backdoor" ports, and you're out of my game.
>> <>I do think you're being overly concerned about your log entries since
>> this is *exactly* what the system is *supposed* to do, log the entries
>> for further use by the admin if needed. There is no signal to noise
>> reduction gained, since what you consider noise is what the system is
>> *designed* to do. If you want to reduce the number of entries then
>> reduce the # of entries it logs (aka when you enable the verbose_limit
>> count it won't log any more than that number of attempts from a host.
>> So set it to 2 or even 1 (i would suggest 2 so you only get what
>> should be considered a bona fide failure) )
>
True, and perhaps even more true. BUT since I've now concluded that
there are script-kiddies trying ssh-breakins at nausium. This logging
gets a totally different meaning. I don't need to see these specific
warnings myself anymore, it is a full indication of a host that is no
longer under his masters control. So instead of writing to see if the
attacks get any smarter, just deny full access. Blunt but effective.
Note that this is on a server of one of my customers. And having seen
the havoc of previously hacked systems of the ISP where I worked, I
prefer to be a little more safe. The only reason that this would kill my
machine, is when the list of IP-numbers gets so large that it keeps the
system from doing anything else any more. But it has not come this far
yet, Moore's law outpaces this problem by far.
>> <>If you want to enable firewalling based on that information then
>> you're going to have to write a custom script to cull the information
>> from the logfiles or enable some ports NIDs, or 3rd party NIDS to do
>> this for you. (Such as maybe portsentry and hostsentry for a basic
>> choice option set)
>
I used to run one of such tools, but found those just a little bit too
inaccurate to actually trust it for this job. Remeber that you do not
have the time to turn over the logfile at midnight, and then start
blocking ip-nummbers. It has to be done at first sight of a possible
attempt to break into the system. But perhaps I'll start runing that again.
--WjW
More information about the freebsd-security
mailing list