Thousands of ssh probes
Kevin Kinsey
kdk at daleco.biz
Fri Mar 5 16:30:42 UTC 2010
mikel king wrote:
>
>
> Way back about 10 years ago, I was playing around with IPFW a lot. I
> wrote a script to update IPFW from changes made to a MySql db. It was a
> just for fun project, that turned out to be rather useful I have some
> developers that I managed who like you were road warriors. They logged
> in to the https web page w/ their username and password which grabbed
> their IP address and stored it in a table on with their login id.
>
> The script called fud (for firewall update daemon) connected to the db
> and ran a query to check for any rule changes. If there were it would
> apply them to the rule set and clear the change flag. Using this
> combination I was able to allow ssh access only to the necessary ip
> addresses.
>
We use a similar approach but only rely on tcpwrappers.
Here's what we do (simplified & obfuscated slightly), just
for reference (or, maybe commentary :-D )
On server:
[505] Fri 05.Mar.2010 10:21:37
[admin at foo][~] cat /etc/hosts.allow | grep sshd
# Wrapping sshd(8) is not normally a good idea, but if you
sshd: /var/tmp/skyangel.ip : allow
sshd: all : deny
On "skyangel":
[13] Fri 05.Mar.2010 10:22:56
[admin at skyangel][~] sudo crontab -l |grep dhcp
@reboot /usr/local/bin/php -q /root/scripts/dhcp.php
* */4 * * * /usr/local/bin/php -q /root/scripts/dhcp.php
"dhcp.php" uses lynx to dump a server-side HTTPS page and sends
a secret in the URI. Server-side page is able to decrypt this
and determine it's really "skyangel", then writes the connecting
IP addy to /var/tmp/skyangel.ip.
KDK
More information about the freebsd-questions
mailing list