Hacked - FreeBSD 7.1-Release
David Wolfskill
david at catwhisker.org
Tue Dec 29 17:14:51 UTC 2009
On Tue, Dec 29, 2009 at 03:20:37AM -0800, Jeremy Chadwick wrote:
> ...
> I've written my own script to do all of this. It parses periodic
> security mails (on a daily basis), and does WHOIS lookups + parses the
> results to tell me what netblocks/CIDRs I should consider blocking. For
> example, for a security mail that contains this:
>
> horus.sc1.parodius.com login failures:
> Dec 28 15:54:49 horus sshd[74684]: Failed password for root from 199.71.214.240 port 51197 ssh2
> Dec 28 15:54:49 horus sshd[74686]: Invalid user test from 199.71.214.240
> Dec 28 18:39:24 horus sshd[84742]: Failed password for root from 208.94.235.248 port 42979 ssh2
> Dec 28 18:39:25 horus sshd[84744]: Failed password for root from 208.94.235.248 port 43056 ssh2
> Dec 28 18:39:25 horus sshd[84746]: Failed password for root from 208.94.235.248 port 43156 ssh2
> Dec 28 18:39:26 horus sshd[84749]: Failed password for root from 208.94.235.248 port 43265 ssh2
> Dec 28 18:39:27 horus sshd[84751]: Failed password for root from 208.94.235.248 port 43356 ssh2
>
> The script would output the following:
>
> 199.71.214.240
> 199.71.212.0/22 Psychz Networks, Walnut, CA, US
> 208.94.235.248
> 208.94.232.0/22 WZ Communications Inc., Madison, WI, US
> 208.94.235.0/24 Soft-Com.biz, Inc., Panama, NA, PA
>
> Then manually (this is intentional) I go and add the entries I feel
> are relevant to a file called pf.conf.ssh-deny which our systems use to
> block SSH access.
> ...
I do something somewhat similar, though the implementation is rather
different. Like Jeremy, I choose to make the actual actions intentionally
manual.
Among salient points:
* Because I'm fairly familiar with it, I (still) use IPFW.
* I received a bit of a "prod" (thanks, Julian!) to use IPFW tables;
that's been quite helpful.
* I use a moderately quaint (and probably embarrassing) mixture of Perl
& Bourne shell scripts, as well as make, to extract the netblock
information from WHOIS, and to construct a persistent store that's
referenced at boot time.
* As a general rule, I try to report activity such as the above (to the
listed contact(s) from WHOIS). (When I do, I Bcc: myself and keep a
opy of all salient correspondence. Or bounce-o-grams.)
* For SSH (in particular), I do not rely only on the /var/log/security
entries created by sshd. Rather, I also configure IPFW to log all SSH
session-establishment requests. If I report the unwanted ativity, I
provide both sets of log excerpts. (I often find probes logged by
IPFW that sshd does not log. And yes, I check the "block" list before
IPFW logs a "sucessful" SSH session-establishment request packet.)
* I use one table to block access to SSH. I have another for extreme
cases of abuse, where I block all traffic in either direction, and a
third for access to my Web server. I suppose I could also do something
similar for SMTP....
* I use this for machines that (may) connect directly to the Internet;
thus, my "firewall" machine certainly qualifies -- but so does my laptop.
* I have no mechanism in place to identify, let alone prune, stale
entries.
Peace,
david
--
David H. Wolfskill david at catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20091229/393e2b55/attachment.pgp
More information about the freebsd-stable
mailing list