Thousands of ssh probes

Kevin Kinsey kdk at
Fri Mar 5 16:30:42 UTC 2010

mikel king wrote:
> Way back about 10 years ago, I was playing around with IPFW a lot. I 
> wrote a script to update IPFW from changes made to a MySql db. It was a 
> just for fun project, that turned out to be rather useful I have some 
> developers that I managed who like you were road warriors. They logged 
> in to the https web page w/ their username and password which grabbed 
> their IP address and stored it in a table on with their login id.
> The script called fud (for firewall update daemon) connected to the db 
> and ran a query to check for any rule changes. If there were it would 
> apply them to the rule set and clear the change flag. Using this 
> combination I was able to allow ssh access only to the necessary ip 
> addresses.

We use a similar approach but only rely on tcpwrappers.
Here's what we do (simplified & obfuscated slightly), just
for reference (or, maybe commentary :-D )

On server:

[505] Fri 05.Mar.2010 10:21:37
[admin at foo][~] cat /etc/hosts.allow | grep sshd
# Wrapping sshd(8) is not normally a good idea, but if you
sshd:  /var/tmp/skyangel.ip : allow
sshd: all : deny

On "skyangel":

[13] Fri 05.Mar.2010 10:22:56
[admin at skyangel][~] sudo crontab -l |grep dhcp
@reboot			/usr/local/bin/php -q /root/scripts/dhcp.php
*   */4    *    *    *   /usr/local/bin/php -q /root/scripts/dhcp.php

"dhcp.php" uses lynx to dump a server-side HTTPS page and sends
a secret in the URI.  Server-side page is able to decrypt this
and determine it's really "skyangel", then writes the connecting
IP addy to /var/tmp/skyangel.ip.


More information about the freebsd-questions mailing list