atom feed13 messages in org.freebsd.freebsd-securityReality check: IPFW sees SSH traffic ...
FromSent OnAttachments
David WolfskillMar 21, 2007 12:45 pm 
Tadas MiniotasMar 21, 2007 1:18 pm 
David WolfskillMar 21, 2007 1:32 pm 
Bill MoranMar 21, 2007 1:37 pm 
Richard JonesMar 21, 2007 2:12 pm 
Dan LukesMar 21, 2007 2:27 pm 
Bill MoranMar 21, 2007 2:29 pm 
W. D.Mar 21, 2007 2:44 pm 
Eygene RyabinkinMar 21, 2007 2:50 pm 
Julian ElischerMar 21, 2007 11:21 pm 
Carl MakinMar 21, 2007 11:22 pm 
VolkerMar 22, 2007 1:32 pm 
Eygene RyabinkinMar 23, 2007 11:36 am 
Subject:Reality check: IPFW sees SSH traffic that sshd does not?
From:Carl Makin (ca@xena.IPAustralia.gov.au)
Date:Mar 21, 2007 11:22:39 pm
List:org.freebsd.freebsd-security

On 22/03/2007, at 1:50 AM, Eygene Ryabinkin wrote:

You can use the following rule that will put very fast SSH connectors to the pf table ssh_scans:

----- pass in quick on $iface proto tcp from any to $ip port 22 flags S/ AUSPF \ keep state (max-src-conn 4, max-src-conn-rate 6/1, overload <ssh_scans> flush)

-----

Interesting, I really must get off my ass and look closely at pf.

I use the Simple Event Correlater (sec, in ports) to parse the auth logfile and add ipfw rules blocking the originating site once it sees 3 authentication failures of any kind from a single address. One of the sec rules looks like this;

----------------------- type=SingleWithThreshold ptype=RegExp pattern=Failed password for (\S+) from (\S+) port (\S+) ssh2 desc=SSH attack from $2 action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Failed password for $1 from $2' /usr/bin/ma il -s 'SSH Attack from $2' me@myaddress.com window=60 thresh=3

-----------------------

ipfwadd.sh is just

/sbin/ipfw add 25 deny log tcp from $1 to any in via tun0

-----------------------

I also have a rule that emails me whenever someone successfully logs into the system.

It's not foolproof, but it helps.

Carl.