Re: Attacks on ssh port

From: Alex de Kruijff (freebsd_at_akruijff.dds.nl)
Date: 09/27/04

  • Next message: Jason Stone: "Re: compare-by-hash (was Re: sharing /etc/passwd)" 
    Date: Mon, 27 Sep 2004 01:44:18 +0200
To: Willem Jan Withagen <wjw@withagen.nl>

    On Sun, Sep 26, 2004 at 11:36:39PM +0200, Willem Jan Withagen wrote:
    > David D.W. Downey wrote:
    >
    > >On Fri, 24 Sep 2004 23:49:09 +0200, Alex de Kruijff
    > ><freebsd@akruijff.dds.nl> wrote:
    > >
    > >
    > >>>Then you can still see the attempts (and thus log the IP information
    > >>>for contacting the abuse@ for the responsible IP controller) while
    > >>>limiting your log sizes.
    > >>>
    > >>>
    > >>This only logs the first tree catches (when the log attribuut is set)
    > >>per rule. You may want to set this a little higher like 100.
    > >>
    > >>
    > >>
    > >
    > >while I agree my example of 3 was low (meant only to instruct) I would
    > >say more along the lines of 25. if someone is hitting you 25 times in
    > >a row and getting tagged by that rule, you can bet your *** it's not
    > >a client of your's.

    The way I understand it was that the rule doesn't discriminate on the
    basis of IP. It juist counts them all to gether. But I could be wrong
    about this.

    > >
    > It is even simpler:
    > Anybody trying to use root as user for ssh-login is not a customer
    > of mine....
    > And if he has not figured out that he's doing something wrong after
    > 3 tries, little chance that he is really just making a mistake.

    This is the perspective of sshd. IPFW can't see this and this value is
    set for all rules. I use the loggin facility mainly as a debugging tool.
    If I want a certain appliction to work that is being blocked by ipfw,
    then I flush the rule counters, run the app, check the log file, then
    add rules based on my findings and then do it all again until I can run
    the app. My fear is that don't catch te rules you want to catch, if you
    set this value to low, while with a large(r) value, you still stop the
    logging. 

    -- 
Alex
Articles based on solutions that I use:
http://www.kruijff.org/alex/FreeBSD/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Jason Stone: "Re: compare-by-hash (was Re: sharing /etc/passwd)"