Hacked - FreeBSD 7.1-Release

David Wolfskill david at catwhisker.org
Tue Dec 29 17:14:51 UTC 2009 

On Tue, Dec 29, 2009 at 03:20:37AM -0800, Jeremy Chadwick wrote:
> ...
> I've written my own script to do all of this.  It parses periodic
> security mails (on a daily basis), and does WHOIS lookups + parses the
> results to tell me what netblocks/CIDRs I should consider blocking.  For
> example, for a security mail that contains this:
> 
> horus.sc1.parodius.com login failures:
> Dec 28 15:54:49 horus sshd[74684]: Failed password for root from 199.71.214.240 port 51197 ssh2
> Dec 28 15:54:49 horus sshd[74686]: Invalid user test from 199.71.214.240
> Dec 28 18:39:24 horus sshd[84742]: Failed password for root from 208.94.235.248 port 42979 ssh2
> Dec 28 18:39:25 horus sshd[84744]: Failed password for root from 208.94.235.248 port 43056 ssh2
> Dec 28 18:39:25 horus sshd[84746]: Failed password for root from 208.94.235.248 port 43156 ssh2
> Dec 28 18:39:26 horus sshd[84749]: Failed password for root from 208.94.235.248 port 43265 ssh2
> Dec 28 18:39:27 horus sshd[84751]: Failed password for root from 208.94.235.248 port 43356 ssh2
> 
> The script would output the following:
> 
> 199.71.214.240
>         199.71.212.0/22        Psychz Networks, Walnut, CA, US
> 208.94.235.248
>         208.94.232.0/22        WZ Communications Inc., Madison, WI, US
>         208.94.235.0/24        Soft-Com.biz, Inc., Panama, NA, PA
> 
> Then manually (this is intentional) I go and add the entries I feel
> are relevant to a file called pf.conf.ssh-deny which our systems use to
> block SSH access.
> ...

I do something somewhat similar, though the implementation is rather
different.  Like Jeremy, I choose to make the actual actions intentionally
manual.

Among salient points:

* Because I'm fairly familiar with it, I (still) use IPFW.
* I received a bit of a "prod" (thanks, Julian!) to use IPFW tables;
  that's been quite helpful.
* I use a moderately quaint (and probably embarrassing) mixture of Perl
  & Bourne shell scripts, as well as make, to extract the netblock
  information from WHOIS, and to construct a persistent store that's
  referenced at boot time.
* As a general rule, I try to report activity such as the above (to the
  listed contact(s) from WHOIS).  (When I do, I Bcc: myself and keep a
  opy of all salient correspondence.  Or bounce-o-grams.)
* For SSH (in particular), I do not rely only on the /var/log/security
  entries created by sshd.  Rather, I also configure IPFW to log all SSH
  session-establishment requests.  If I report the unwanted ativity, I
  provide both sets of log excerpts.  (I often find probes logged by
  IPFW that sshd does not log.  And yes, I check the "block" list before
  IPFW logs a "sucessful" SSH session-establishment request packet.)
* I use one table to block access to SSH.  I have another for extreme
  cases of abuse, where I block all traffic in either direction, and a
  third for access to my Web server.  I suppose I could also do something
  similar for SMTP....
* I use this for machines that (may) connect directly to the Internet;
  thus, my "firewall" machine certainly qualifies -- but so does my laptop.
* I have no mechanism in place to identify, let alone prune, stale
  entries.

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20091229/393e2b55/attachment.pgp

More information about the freebsd-stable mailing list