Hacked - FreeBSD 7.1-Release

Andresen, Jason R. jandrese at mitre.org
Mon Dec 28 15:44:46 UTC 2009 

>From: Chris H
>
>On Tue, December 22, 2009 8:35 am, Andresen, Jason R. wrote:
>> Squirrel wrote:
>>
>>> most likely could be some kind of remote code execution or SQLi
>executed in
>>> the context of some php scripts, you should audit php code of your
>web
>>> interface and of the websites you host. also consider the strenght of
>your
>>> passwords, lots of login attempts to ssh/ftp may mean a he has tried
>a
>>> bruteforce (or a dictionary attack maybe). you should also check
>webmin logs,
>>> there are a few bruteforcer for webmin out there, (*hint*) consider
>the lenght
>>> of your average password if it's more than 7-8 characters
>aplhanumeric with
>>> simbols most likely this isn't the case.
>>
>> While it's true that it's a good idea to check your password strength,
>pretty
>> much any host connected to the internet is going to be hit daily by
>bots
>> looking for weak passwords.  It's one area where you logs don't help
>much
>> because there is too much noise.
>That's why there's GREP(1), AWK(1), FIND(1), TAIL(1), and CAT(1)
>Consider the following...
>adding the following to your /etc/rc.conf:
>
># SECURITY RELATED
>####################################
>syslogd_flags="-ss"
>log_in_vain="YES"
>tcp_keepalive="YES"
>
>
>now your log file will /really/ sing (log_in_vain="YES").
>Of course, unless you have a great deal of time on your hands, visually
>parsing
>that "noisy" log will be quite tedious, and time consuming. So you have
>a few
>options...
>If your running X11, simply run tail in a root window - there are quite
>a few
>utilities in ports for doing just this - some that'll only write
>messages you
>want to see.
>You could also create a script out of cron that will only produce
>messages you
>are interested in, for example:
>
>~# cat /var/log/messages | ssh
>
>will emit any attempt to ssh into your box
>you can also redirect the messages to a file:
>
>~# cat /var/log/messages | ssh >>~/EVIL_DOERS
>
>You could also add en entry to PERIODIC(8) that will
>provide a daily report on any attempts you are interested in.
>
>HTH
>

Your solution to excessive noise in the security log is to greatly increase the noise level?!?

The point is, if your machine is on the internet, then bots are going to try password attacks on any open port they can find.  It's just the sad fact of life on the current internet.  Unfortunately, this activity will also make it much more difficult to determine when you are under attack from an actual person, which was my point earlier.  It's one that is not going to be easy to solve either, unless you're willing to rewrite SSH to require every connection attempt to pass a Turing test or something.

More information about the freebsd-stable mailing list