system is under attack (what can I do more?)

Bruce Cran bruce at cran.org.uk
Fri Jun 18 12:34:05 UTC 2010 

On Friday 18 June 2010 13:23:27 Dino Vliet wrote:
> Dear freebsd list,
> My server, which is a amd64 system running freebsd 8.0 is currently under
> attack from a botnet or something. Take a look at my /var/log/auth.log
> file:
> 
[...]
> 
> I looked at this and especially the way they seem to try different
> usernames (not fully random though) is quite clever. The postgres user
> they tried, worried me at first but fortunately I realized that postgres
> wasn't running on that server. I have configured the AllowUser directive
> in sshd_config and it only contains 2 usernames which can log in from sshd
> remotely.
> 
> Another "line of defence" is my pf firewall config which has the following
> in it:
> 
> pass in proto tcp from any to any port ssh keep state (max-src-conn 3,
> max-src-conn-rate 2/30, overload <bruteforce> flush global)
> 
> However, almost none of the ip-addresses above end up in that bruteforce
> table.
> 
> Now my questions are:
> 1) why doesn't ip-address 190.38.59.236 for instance isn't triggered by my
> pf rule? Is that because this connection stays within the limits? Should I
> change that, but then again, considering the attack rate....what values
> would be suitable? 2) are there other things I could do?

These types of ssh probes are common nowadays. Unless you have a misconfigured 
server you don't need to worry about users like postgres, uucp, games, bin, 
operator, daemon  etc. because they won't have a shell configured and so won't 
be allowed to login.  The attacks have recently started working around rate 
limits by only trying from a single address every few minutes.  Since you're 
already using the AllowUsers directive I suspect you're not really at much 
risk, but there are a few things you could do:

1. Don't allow password authentication. It might be a bit of a hassle to set 
up, but it's so much simpler once it's running to authenticate via ssh keys 
and it stops the bots in their tracks.

2. Block IP ranges that you won't login from, or, if you know of places you 
will login from, only allow connections from those IP addresses.

3. Move sshd to a different port. I don't like this workaround since although 
it stops the attacks it's nonstandard and means you have to remember to 
specify the port each time you connect.

-- 
Bruce Cran

More information about the freebsd-questions mailing list