Hacked - FreeBSD 7.1-Release

Jeremy Chadwick freebsd at jdc.parodius.com
Tue Dec 29 19:57:35 UTC 2009 

On Tue, Dec 29, 2009 at 02:30:11PM -0500, Lowell Gilbert wrote:
> > On Mon, Dec 28, 2009 at 10:44:41AM -0500, Andresen, Jason R. wrote:
> >> The point is, if your machine is on the internet, then bots are
> >> going to try password attacks on any open port they can find.  It's
> >> just the sad fact of life on the current internet.  Unfortunately,
> >> this activity will also make it much more difficult to determine
> >> when you are under attack from an actual person, which was my point
> >> earlier.  It's one that is not going to be easy to solve either,
> >> unless you're willing to rewrite SSH to require every connection
> >> attempt to pass a Turing test or something.
> >
> > On all systems which need to be accessible from the public Internet:
> > Run sshd on port 22 and port 8022. Block incoming traffic on port
> > 22 on your firewall.
> >
> > Everybody coming from the outside world needs to know it is running
> > on port 8022. Everybody coming from the inside world has access as
> > normal.
> 
> This assumes that everybody coming in from the outside is doing so from
> a location that can reach port 8022 on your network.  Restrictive
> corporate, campus, and hotspot firewalls will often break this
> assumption.  If your network is personal, and you know the other ends
> of the connections won't be so draconian, this isn't a problem.

And let's not forget the fact that the people doing the brute-force
attacks already have access to multiple compromised machines (sometimes
in the tens or hundreds of thousands), which means they'll eventually
change their methods to include portscanning of the remote system rather
than just blindly assuming TCP port 22.  When you have access to so many
systems, completing a full scan (65535 ports) would take a lot less time
than, say, if run from a single system.

Given that OpenSSH happily spits back an identity string -- including
version -- to anyone who establishes a TCP connection to it, detecting
if SSH is associated with said port isn't that hard.  I don't know if
this method is officially part of the SSH protocol or not (I'm not
familiar with the protocol).  Example FreeBSD box:

Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.2p1 FreeBSD-20090522

The "FreeBSD-XXXXXXXX" string is supposed to come from VersionAddendum
in /etc/ssh/sshd_config, except it appears the base system's OpenSSH
defines this as the VersionAddendum default.  The rest of the string,
AFAIK, isn't modifiable outside of editing the source.

The justification for the FreeBSD-XXXXXXXX hard-coded default is in
src/crypto/openssh/FREEBSD-upgrade.  I don't agree with the logic (basic
security starts with "give the remote attacker *as little* information
about your system as possible"), but I'm not going to argue:

0) VersionAddendum

   The SSH protocol allows for a human-readable version string of up
   to 40 characters to be appended to the protocol version string.
   FreeBSD takes advantage of this to include a date indicating the
   "patch level", so people can easily determine whether their system
   is vulnerable when an OpenSSH advisory goes out.  Some people,
   however, dislike advertising their patch level in the protocol
   handshake, so we've added a VersionAddendum configuration variable
   to allow them to change or disable it.

So ultimately changing the port number from 22 to something else is just
a temporary measure that does little other than annoy legitimate people
connecting to your system.  Don't have anyone else connecting to it?
Then why not just use port 22 and deny 0.0.0.0/0 + allow netblocks you
come in from?  I guess some people travel a lot and use a multitude of
ISPs, but surely it wouldn't take that long to build an appropriate
allow/permit list.

Ah well.  Each to his/her own when it comes to solving this problem.
Everyone likes something different/has a different method/etc. based on
their needs/styles.  :-)

-- 
| Jeremy Chadwick                                   jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-stable mailing list