Hacked - FreeBSD 7.1-Release

Mon Dec 28 22:59:54 UTC 2009

On Mon, December 28, 2009 7:44 am, Andresen, Jason R. wrote:
>> From: Chris H
>>
>>
>> On Tue, December 22, 2009 8:35 am, Andresen, Jason R. wrote:
>>
>>> Squirrel wrote:
>>>
>>>
>>>> most likely could be some kind of remote code execution or SQLi
>> executed in
>>>> the context of some php scripts, you should audit php code of your
>> web
>>>> interface and of the websites you host. also consider the strenght of
>> your
>>>> passwords, lots of login attempts to ssh/ftp may mean a he has tried
>> a
>>>> bruteforce (or a dictionary attack maybe). you should also check
>> webmin logs,
>>>> there are a few bruteforcer for webmin out there, (*hint*) consider
>> the lenght
>>>> of your average password if it's more than 7-8 characters
>> aplhanumeric with
>>>> simbols most likely this isn't the case.
>>>
>>> While it's true that it's a good idea to check your password strength,
>>>
>> pretty
>>> much any host connected to the internet is going to be hit daily by
>> bots
>>> looking for weak passwords.  It's one area where you logs don't help
>> much
>>> because there is too much noise.
>> That's why there's GREP(1), AWK(1), FIND(1), TAIL(1), and CAT(1)
>> Consider the following...
>> adding the following to your /etc/rc.conf:
>>
>> # SECURITY RELATED
>> ####################################
>> syslogd_flags="-ss" log_in_vain="YES" tcp_keepalive="YES"
>>
>>
>> now your log file will /really/ sing (log_in_vain="YES"). Of course, unless
>> you have a great deal of time on your hands, visually parsing that "noisy" log
>> will be quite tedious, and time consuming. So you have a few options... If your
>> running X11, simply run tail in a root window - there are quite a few utilities
>> in ports for doing just this - some that'll only write messages you want to
>> see. You could also create a script out of cron that will only produce
>> messages you are interested in, for example:
>>
>> ~# cat /var/log/messages | ssh
>>
>>
>> will emit any attempt to ssh into your box you can also redirect the messages
>> to a file:
>>
>> ~# cat /var/log/messages | ssh >>~/EVIL_DOERS
>>
>>
>> You could also add en entry to PERIODIC(8) that will
>> provide a daily report on any attempts you are interested in.
>>
>> HTH
>>
>>
>
> Your solution to excessive noise in the security log is to greatly increase the
> noise level?!?
>
> The point is, if your machine is on the internet, then bots are going to try
> password attacks on any open port they can find.  It's just the sad fact of
> life on the current internet.  Unfortunately, this activity will also make it
> much more difficult to determine when you are under attack from an actual
> person, which was my point earlier.  It's one that is not going to be easy to
> solve either, unless you're willing to rewrite SSH to require every connection
> attempt to pass a Turing test or something.
My point here was that by increasing the verbosity, you will more easily be able
to grep against login /failures/, and more easily discover dictionary/ brute-force
attacks. It's certainly made my job easier, and hasn't required any modifications
to our current policies. You /have/ considered PF(4), haven't you? It's /really/
an excellent strategy for securing your network.

--Chris H
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"