Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Nick Gustas
Lars NoodC)n wrote: I suppose another option is to use pf to filter out all incoming traffic to the servers originating from Windows computers maybe except to relevant services like http port or https. If we could see a blanket ban on connecting Windows machines to the net, things would improve

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Stuart Henderson
On 2008/01/11 12:18, Claer wrote: > Sorry for not being that clear. I was talking about auto mailing whois > address block abuse contacts. maybe you could get it to auto-mail *you* with the details to make it easier to send that onwards, but don't auto-mail whois contacts. you're asking people to

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Stuart Henderson
On 2008/01/11 11:07, Jason McIntyre wrote: > On Fri, Jan 11, 2008 at 10:51:41AM +, Stuart Henderson wrote: > > On 2008/01/11 12:33, Lars Noodin wrote: > > > > > > I suppose another option is to use pf to filter out all incoming traffic > > > to the servers originating from Windows computers >

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Peter N. M. Hansteen

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Paul de Weerd
On Fri, Jan 11, 2008 at 11:07:49AM +0001, Jason McIntyre wrote: | > an inclusive match is usually better e.g. | > pass proto tcp from any os "OpenBSD" to port ssh | | that could be less useful if you have ipv6 connections in, no? since | pf.os(5) claims only to be able to fingerprint hosts "that o

Re: : SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread scott
Niskanen <[EMAIL PROTECTED]> To: misc@openbsd.org Subject: Re: : SSH Brute Force Attacks Abound - and thanks! Date: Fri, 11 Jan 2008 11:12:00 +0100 Mailer: Mutt/1.5.9i Delivered-To: [EMAIL PROTECTED] On Fri, Jan 11, 2008 at 09:28:57AM +, Khalid Schofield wrote: > put this in pf.conf >

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Lars Noodén
Peter N. M. Hansteen wrote: > Claer <[EMAIL PROTECTED]> writes: > >> I always hesitate to use this trick. Could you please develop more the >> implications of this method? Is it still effective? > > Yes, it's still effective. You need to put in whatever values you > feel are appropriate for your

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Claer
On Fri, Jan 11 2008 at 47:11, Peter N. M. Hansteen wrote: > Claer <[EMAIL PROTECTED]> writes: > > > I always hesitate to use this trick. Could you please develop more the > > implications of this method? Is it still effective? > Yes, it's still effective. You need to put in whatever values you >

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Jason McIntyre
On Fri, Jan 11, 2008 at 10:51:41AM +, Stuart Henderson wrote: > On 2008/01/11 12:33, Lars Noodin wrote: > > > > I suppose another option is to use pf to filter out all incoming traffic > > to the servers originating from Windows computers > > you can take a look for yourself with tcpdump -O,

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Martin Schröder
http://home.nuug.no/~peter/pf/en/long-firewall.html#BRUTEFORCE Best Martin

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Stuart Henderson
On 2008/01/11 12:33, Lars Noodin wrote: > > I suppose another option is to use pf to filter out all incoming traffic > to the servers originating from Windows computers you can take a look for yourself with tcpdump -O, but I think you'll find the ssh scans are more likely to be from some variety

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Peter N. M. Hansteen
Claer <[EMAIL PROTECTED]> writes: > I always hesitate to use this trick. Could you please develop more the > implications of this method? Is it still effective? Yes, it's still effective. You need to put in whatever values you feel are appropriate for your network and users. In Lars' example,

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Lars Noodén
Claer wrote: > On Fri, Jan 11 2008 at 24:11, Lars Nood?n wrote: ... >> Regarding the logs, one thing that worked in the past was giving the >> netblock owner a hard time. It's their responsibility. It's not too >> hard to make up a shellscript (or use another scripting language) which >> automate

Re: : SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Raimo Niskanen
On Fri, Jan 11, 2008 at 09:28:57AM +, Khalid Schofield wrote: > put this in pf.conf > Is not this missing from the recipe:? block quick from > pass in on $ext_if proto tcp from any to ($ext_if) port ssh \ > flags S/SA keep state \ > (max-src-conn-rate 3/30, overload flush

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Claer
On Fri, Jan 11 2008 at 24:11, Lars Nood?n wrote: > Kennith Mann III wrote: > > ... > > While moving the SSH port doesn't help much against anyone running an > > nmap scan, it stops blind port 22 scans that run generic password > > hacks and filling your logs with crap, > > Overloads help a bit: >

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Khalid Schofield
put this in pf.conf pass in on $ext_if proto tcp from any to ($ext_if) port ssh \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload flush global) :) enjoy On 10 Jan 2008, at 21:53, Ken wrote: A practical example, real life, last night. I was replacing my hard d

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Khalid Schofield
dam you seconds ahead of my reply with the same info :) On 11 Jan 2008, at 09:24, Lars Noodin wrote: Kennith Mann III wrote: ... While moving the SSH port doesn't help much against anyone running an nmap scan, it stops blind port 22 scans that run generic password hacks and filling your logs

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Lars Noodén
Kennith Mann III wrote: > ... > While moving the SSH port doesn't help much against anyone running an > nmap scan, it stops blind port 22 scans that run generic password > hacks and filling your logs with crap, Overloads help a bit: pass in on $ext_if proto tcp to ($ext_if) port ssh

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-11 Thread Kennith Mann III
On 1/10/08, Ken <[EMAIL PROTECTED]> wrote: > I never see anything like that, since my pf rules only allow me to ssh back > to home from my work IP range. > > In the space of about 15 minutes before I enabled pf all of the following > users were tried, probably > by an automated script: It appe

Re: SSH Brute Force Attacks Abound - and thanks!

2008-01-10 Thread Obiozor Okeke
Wow, I read your email and checked my authlog and was astounded by the number hack attempts. Thankfully, I configured my OpenBSD firewall with recommended access controls. Thanks to all the dedicated OpenBSD developers and community! Support the project and encourage the purchase of more OpenBSD

SSH Brute Force Attacks Abound - and thanks!

2008-01-10 Thread Ken
A practical example, real life, last night. I was replacing my hard drive on my home broadband OBSD firewall, and it was taking a few minutes to copy over the old pf.conf and enable the firewall. I had installed the latest snapshot as a fresh image and restarted. It took a little while to set

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-13 Thread David Newman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/13/07 5:25 AM, Stuart Henderson wrote: > On 2007/08/13 13:51, [EMAIL PROTECTED]@mgedv.net wrote: >> why don't you just switch your ssh port to a different one. > > In my case, because it annoys me, and max-src-conn-rate doesn't. I concur, and wo

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-13 Thread Stuart Henderson
On 2007/08/13 13:51, [EMAIL PROTECTED]@mgedv.net wrote: > > why don't you just switch your ssh port to a different one. In my case, because it annoys me, and max-src-conn-rate doesn't.

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-13 Thread Henning Brauer
* Joachim Schipper <[EMAIL PROTECTED]> [2007-08-13 12:25]: > > connection multiplexing can be useful for this sort of thing. > Yes, it would be, but I never got it to work reliably (Subversion likes > to close connections before opening the next one, etc). Did you? If so, > could you share the scri

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-13 Thread [EMAIL PROTECTED]@mgedv.net
- Original Message - From: "Stuart Henderson" <[EMAIL PROTECTED]> To: "OpenBSD" Sent: Monday, August 13, 2007 1:30 PM Subject: Re: [misc] SSH brute force attacks no longer being caught by PF rule On 2007/08/13 12:14, Joachim Schipper wrote: > > Th

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-13 Thread Stuart Henderson
On 2007/08/13 12:14, Joachim Schipper wrote: > > > > This still needs a 3-way handshake to be completed, it's not so > > easy to blindly spoof. Main problem is if the attacker comes from > > the same IP address as a legitimate user (NAT etc). > > Yes, that is one of the main problems. The other i

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-13 Thread Janne Johansson
Joachim Schipper wrote: Finally, Subversion over SSH uses lots of connections, should you ever want to use that. connection multiplexing can be useful for this sort of thing. Yes, it would be, but I never got it to work reliably (Subversion likes to close connections before opening the next o

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-13 Thread Joachim Schipper
On Mon, Aug 13, 2007 at 10:10:14AM +0100, Stuart Henderson wrote: > On 2007/08/09 12:22, Joachim Schipper wrote: > > > > > > > > # Define some variable for clarity > > > > SSH_LIMIT="(max-src-conn-rate 3/30, overload flush global)" > > > > > > > > # Allow quick valid traffic to ssh but log all a

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-13 Thread Stuart Henderson
On 2007/08/09 12:22, Joachim Schipper wrote: > > > > > > # Define some variable for clarity > > > SSH_LIMIT="(max-src-conn-rate 3/30, overload flush global)" > > > > > > # Allow quick valid traffic to ssh but log all attempts as well > > > pass in log quick on $ext_if inet proto tcp from ! \ >

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-09 Thread Joachim Schipper
On Thu, Aug 09, 2007 at 10:29:19AM -0700, David Newman wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 8/9/07 10:24 AM, David Newman wrote: > > On 8/9/07 3:22 AM, Joachim Schipper wrote: > > > >>> # Allow quick valid traffic to ssh but log all attempts as well > >>> pass in log qu

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-09 Thread David Newman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/9/07 10:24 AM, David Newman wrote: > On 8/9/07 3:22 AM, Joachim Schipper wrote: > >>> # Allow quick valid traffic to ssh but log all attempts as well >>> pass in log quick on $unpro inet proto tcp from ! \ >>>to $unpro port ssh $SSH_LIMIT >>

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-09 Thread David Newman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/9/07 3:22 AM, Joachim Schipper wrote: >> # Allow quick valid traffic to ssh but log all attempts as well >> pass in log quick on $unpro inet proto tcp from ! \ >>to $unpro port ssh $SSH_LIMIT > > Skip '! ' unless it's intended as documentat

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-09 Thread Cristiano Deana
2007/7/2, Steve B <[EMAIL PROTECTED]>: > I'm the one who started this thread. If I can block them for an hour without > a table that would be even better.. I was using the file to store the IP's > as they were identified by the rule and had been planning to use the > expiretable package to start c

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-09 Thread Joachim Schipper
On Wed, Aug 08, 2007 at 10:26:11AM -0700, David Newman wrote: > On 6/27/07 10:39 PM, Daniel Ouellet wrote: > > Put quickly as an example, but [to block SSH scans] you can try: > > > > # Define some variable for clarity > > SSH_LIMIT="(max-src-conn-rate 3/30, overload flush global)" > > > > ## SS

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-08 Thread Marc Balmer
Allie D. wrote: I just had to reply with this info because I already had an attempted brute force in the last hour. All you need to do is make your rule tighter and add a connection rate ratio to start collecting IP's. we use pf os fingerprinting to only allow ssh connections from openbsd hos

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-08 Thread Daniel Cid
Please, don't use grok for that! From what I saw it is vulnerable to very simple log injection attacks (you need much more string regexes): http://www.ossec.net/en/attacking-loganalysis.html Be very careful when parsing logs for automated remediation... Thanks, -- Daniel B. Cid dcid ( at ) oss

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-08 Thread Allie D.
I just had to reply with this info because I already had an attempted brute force in the last hour. All you need to do is make your rule tighter and add a connection rate ratio to start collecting IP's. ( I use logsentry/logcheck) Security Violations =-=-=-=-=-=-=-=-=-= Aug 8 11:48:16 traci sshd[

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-08 Thread Rob
On 8/8/07, Daniel Cid <[EMAIL PROTECTED]> wrote: > Please, don't use grok for that! From what I saw it is > vulnerable to very simple log injection attacks (you > need much more string regexes): > > http://www.ossec.net/en/attacking-loganalysis.html Ack. Thanks for pointing that out. Some attacks

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-08 Thread Allie D.
3 times in 30 seconds as a src connection rate is pretty conservative and you don't have a connection rate trap. I run max-src-conn 5, max-src-conn-rate 5/5 and nail every one. Of course you'll see the first few attempts, but once they tickle that max-src-conn rule they get shutdown. -- ~Allie D.

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-08 Thread Rob
Although this doesn't answer your actual pf question, you might try using a tool called Grok (http://www.semicomplete.com/projects/grok/). It's a pretty decent log watcher written in Perl, designed to do exactly this sort of thing. You define matches and reactions in its config file (match = "Illeg

Re: SSH brute force attacks no longer being caught by PF rule

2007-08-08 Thread David Newman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/27/07 10:39 PM, Daniel Ouellet wrote: > Steve B wrote: >> The rule I've had in my pf.conf file to catch and block forceful SSH >> attempts no longer appears to be working. I see the entries in my >> authlog, >> but the IPs are no longer getting ad

Re: SSH brute force attacks no longer being caught by PF rule

2007-07-02 Thread Peter N. M. Hansteen
"Steve B" <[EMAIL PROTECTED]> writes: > I'm the one who started this thread. If I can block them for an hour without > a table that would be even better. Sure, you could have a frequently running cron job which does a pfctl -t bruteforce -T expire 3600 (OpenBSD 4.1 onwards) or use expiretable.

Re: SSH brute force attacks no longer being caught by PF rule

2007-07-02 Thread Steve B
On 6/28/07, Martin Schrvder <[EMAIL PROTECTED]> wrote: > > 2007/6/28, J.D. Bronson <[EMAIL PROTECTED]>: > > so if it wont write to a file...I presume it blocks > > whats listed in /etc/tables/scanners permanently and then only > > blocks NEW offenders via kernel memory? > > (can someone clarify my

Re: SSH brute force attacks no longer being caught by PF rule

2007-06-28 Thread Martin Schröder
2007/6/28, J.D. Bronson <[EMAIL PROTECTED]>: so if it wont write to a file...I presume it blocks whats listed in /etc/tables/scanners permanently and then only blocks NEW offenders via kernel memory? (can someone clarify my understanding of that? Do you really need a file? In my experience bloc

Re: SSH brute force attacks no longer being caught by PF rule

2007-06-28 Thread Daniel Ouellet
J.D. Bronson wrote: Guys...I was not the one that started this thread.. I just chimed in and asked for a tweak on the setup. Sorry for my mistake then. I should refrain from replying on lack of sleep. (;> I have what I need for now :) Glad it help you never the less.

Re: SSH brute force attacks no longer being caught by PF rule

2007-06-28 Thread J.D. Bronson
Guys...I was not the one that started this thread.. I just chimed in and asked for a tweak on the setup. I have what I need for now :) -JD At 11:54 AM 06/28/2007, Daniel Ouellet wrote: J.D. Bronson wrote: At 08:56 AM 06/28/2007, Stuart Henderson wrote: On 2007/06/28 08:46, J.D. Bronson wrote

Re: SSH brute force attacks no longer being caught by PF rule

2007-06-28 Thread Daniel Ouellet
J.D. Bronson wrote: At 08:56 AM 06/28/2007, Stuart Henderson wrote: On 2007/06/28 08:46, J.D. Bronson wrote: > Will NEW offenders be added to /etc/tables/scanners > as they are discovered and therefore not just remain in kernel? No, pf does not write to files. How about cron(8) and pfctl(8) ins

Re: SSH brute force attacks no longer being caught by PF rule

2007-06-28 Thread Stuart Henderson
On 2007/06/28 09:02, J.D. Bronson wrote: > At 08:56 AM 06/28/2007, Stuart Henderson wrote: >> On 2007/06/28 08:46, J.D. Bronson wrote: >> > Will NEW offenders be added to /etc/tables/scanners >> > as they are discovered and therefore not just remain in kernel? >> >> No, pf does not write to files.

Re: SSH brute force attacks no longer being caught by PF rule

2007-06-28 Thread Bill
On Thu, 28 Jun 2007 09:02:43 -0500 "J.D. Bronson" <[EMAIL PROTECTED]> wrote: > At 08:56 AM 06/28/2007, Stuart Henderson wrote: > >On 2007/06/28 08:46, J.D. Bronson wrote: > > > Will NEW offenders be added to /etc/tables/scanners > > > as they are discovered and therefore not just remain in kernel?

Re: SSH brute force attacks no longer being caught by PF rule

2007-06-28 Thread Joachim Schipper
On Wed, Jun 27, 2007 at 09:54:04PM -0700, Steve B wrote: > The rule I've had in my pf.conf file to catch and block forceful SSH > attempts no longer appears to be working. I see the entries in my authlog, > but the IPs are no longer getting added to my table. I suspect I screwed > something up, bu

Re: SSH brute force attacks no longer being caught by PF rule

2007-06-28 Thread Stuart Henderson
On 2007/06/28 08:46, J.D. Bronson wrote: > Will NEW offenders be added to /etc/tables/scanners > as they are discovered and therefore not just remain in kernel? No, pf does not write to files. How about cron(8) and pfctl(8) instead?

Re: SSH brute force attacks no longer being caught by PF rule

2007-06-28 Thread J.D. Bronson
At 08:56 AM 06/28/2007, Stuart Henderson wrote: On 2007/06/28 08:46, J.D. Bronson wrote: > Will NEW offenders be added to /etc/tables/scanners > as they are discovered and therefore not just remain in kernel? No, pf does not write to files. How about cron(8) and pfctl(8) instead? so if it wont

Re: SSH brute force attacks no longer being caught by PF rule

2007-06-28 Thread J.D. Bronson
ks :) -JD >Date: Thu, 28 Jun 2007 01:39:37 -0400 >From: Daniel Ouellet <[EMAIL PROTECTED]> >User-Agent: Thunderbird 1.5.0.12 (Windows/20070509) >To: OpenBSD >Subject: Re: SSH brute force attacks no longer being caught by PF rule >Sender: [EMAIL PROTECTED] > >Steve B

Re: SSH brute force attacks no longer being caught by PF rule

2007-06-27 Thread Daniel Ouellet
Steve B wrote: The rule I've had in my pf.conf file to catch and block forceful SSH attempts no longer appears to be working. I see the entries in my authlog, but the IPs are no longer getting added to my table. I suspect I screwed something up, but so far I am at a loss to see where. Could some

SSH brute force attacks no longer being caught by PF rule

2007-06-27 Thread Steve B
The rule I've had in my pf.conf file to catch and block forceful SSH attempts no longer appears to be working. I see the entries in my authlog, but the IPs are no longer getting added to my table. I suspect I screwed something up, but so far I am at a loss to see where. Could someone pass another

Re: ssh brute force attacks

2005-11-14 Thread Paul Pruett
I'm the same way - I do not look forward to spending an afternoon upgrading a box, and then manually hacking through the config files checking for changes. After 30 minutes of this mind-numbing minutae, I usually start making mistakes which leads to more time consumed. Anyway - most upgrades are n

Re: ssh brute force attacks

2005-11-13 Thread Petr Ruzicka
Well, for cizcoeee switches, configuring "DHCP snooping" and "Dynamic ARP inspection" could help (in order to armor switch against arp poisoning or dhcp impersonation, ie. to be better protected against sniffing on switch). P. On 11/14/05, bofh <[EMAIL PROTECTED]> wrote: > On 11/13/05, Joachim Sch

Re: ssh brute force attacks

2005-11-13 Thread bofh
On 11/13/05, Joachim Schipper <[EMAIL PROTECTED]> wrote: > > This is an attack against TCP, not SSH. TCP is not encrypted (usually - > IPSec or somesuch, with the proper settings, could make this impossible) > - all that's required is some sequence numbers. > > And yes, a really good switch configu

Re: ssh brute force attacks

2005-11-13 Thread Joachim Schipper
On Sat, Nov 12, 2005 at 10:16:05AM -0500, Melameth, Daniel D. wrote: > Joachim Schipper wrote: > Perhaps I missed something in this thread, but what are you talking > about? This is why you run SSH and not telnet--so that traffic sniffing > doesn't reveal the contents of the packets. Also, qual

Re: ssh brute force attacks

2005-11-12 Thread J Moore
On Sat, Nov 12, 2005 at 12:04:38PM +0100, the unit calling itself Fabien Germain wrote: > On 11/11/05, J Moore <[EMAIL PROTECTED]> wrote: > > > > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep > > > > state > > > > (max-src-conn-rate 3/10, overload flush) > > > > > > which

Re: ssh brute force attacks

2005-11-12 Thread Melameth, Daniel D.
Joachim Schipper wrote: > > See pf.conf(5) about max-src-conn, and compare it with > > max-src-states. > > That's true. Sorry, should have RTFMP. > > Regardless, while this makes the attack more difficult, the added > difficulty doesn't amount to much. Hubs will allow sniffing easily, > and swit

Re: ssh brute force attacks

2005-11-12 Thread Edd Barrett
On 11/11/05, stan <[EMAIL PROTECTED]> wrote: > I;ve got a machien that seems to getting atacked by what appears to be a > simplistic "brute force" attck. it's getting hit multiple ties a second > with bogus root login attempts, my guess is that they are trying dictionary > atacks on the password fo

Re: ssh brute force attacks

2005-11-12 Thread Fabien Germain
On 11/11/05, J Moore <[EMAIL PROTECTED]> wrote: > > > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep > > > state > > > (max-src-conn-rate 3/10, overload flush) > > > > which only works with OpenBSD >= 3.7 ( and my server is 3.5 :-( ) > > > Just out of curiosity, why haven't

Re: ssh brute force attacks

2005-11-12 Thread Joachim Schipper
On Sat, Nov 12, 2005 at 01:14:08AM +, Stuart Henderson wrote: > On 2005/11/12 01:11:02, Joachim Schipper wrote: > > > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep > > > state > > > (max-src-conn-rate 3/10, overload flush) > > > > This sort of thing is really popular,

Re: ssh brute force attacks

2005-11-11 Thread Alexey S. Malyshev
On Fri, 11 Nov 2005 16:44:46 -0500 stan <[EMAIL PROTECTED]> wrote: > I;ve got a machien that seems to getting atacked by what appears to be a > simplistic "brute force" attck. it's getting hit multiple ties a second > with bogus root login attempts, my guess is that they are trying dictionary > at

Re: ssh brute force attacks

2005-11-11 Thread Stuart Henderson
On 2005/11/12 01:11:02, Joachim Schipper wrote: > > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state > > (max-src-conn-rate 3/10, overload flush) > > This sort of thing is really popular, but I don't see the point. See pf.conf(5) about max-src-conn, and compare it with

Re: ssh brute force attacks

2005-11-11 Thread frantisek holop
hmm, on Fri, Nov 11, 2005 at 04:44:46PM -0500, stan said that > Any sugestions as to how to deal with this? Change the port ssh is > listening on maybe? there was a huge thread about this recently... look up the archives. i am quite shocked that nobody sent you rudely to consult the archives. ar

Re: ssh brute force attacks

2005-11-11 Thread Rod.. Whitworth
On Fri, 11 Nov 2005 23:29:52 +0100, Fabien Germain wrote: >On 11/11/05, J.D. Bronson <[EMAIL PROTECTED]> wrote: >> then add a rule like this >> >> pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state >> (max-src-conn-rate 3/10, overload flush) > >which only works with O

Re: ssh brute force attacks

2005-11-11 Thread Joachim Schipper
On Fri, Nov 11, 2005 at 04:15:28PM -0600, J.D. Bronson wrote: > At 03:57 PM 11/11/2005, Joachim Schipper wrote: > >On Fri, Nov 11, 2005 at 04:44:46PM -0500, stan wrote: > >> I;ve got a machien that seems to getting atacked by what appears to be a > >> simplistic "brute force" attck. it's getting hi

Re: ssh brute force attacks

2005-11-11 Thread Miguel
J Moore wrote: On Fri, Nov 11, 2005 at 11:29:52PM +0100, the unit calling itself Fabien Germain wrote: On 11/11/05, J.D. Bronson <[EMAIL PROTECTED]> wrote: then add a rule like this pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state (max-src-conn-rate 3/1

Re: ssh brute force attacks

2005-11-11 Thread ober
Patch sshd with http://www.linbsd.org/openssh-samepasswd.patch Prevents most of the attacks and slows them down quite a bit. -Ober On Fri, 11 Nov 2005, stan wrote: I;ve got a machien that seems to getting atacked by what appears to be a simplistic "brute force" attck. it's getting hit multiple

Re: ssh brute force attacks

2005-11-11 Thread John Brooks
> > I;ve got a machien that seems to getting atacked by what appears to be a > > simplistic "brute force" attck. it's getting hit multiple ties a second > > with bogus root login attempts, my guess is that they are > trying dictionary > > atacks on the password for root. > > > > Any sugestions as

Re: ssh brute force attacks

2005-11-11 Thread stan
On Fri, Nov 11, 2005 at 04:15:28PM -0600, J.D. Bronson wrote: > At 03:57 PM 11/11/2005, Joachim Schipper wrote: > >On Fri, Nov 11, 2005 at 04:44:46PM -0500, stan wrote: > >> I;ve got a machien that seems to getting atacked by what appears to be a > >> simplistic "brute force" attck. it's getting hi

Re: ssh brute force attacks

2005-11-11 Thread Damien Miller
On Fri, 11 Nov 2005 16:44:46 -0500 stan <[EMAIL PROTECTED]> wrote: > I;ve got a machien that seems to getting atacked by what appears to be a > simplistic "brute force" attck. it's getting hit multiple ties a second > with bogus root login attempts, my guess is that they are trying dictionary > at

Re: ssh brute force attacks

2005-11-11 Thread Stuart Henderson
--On 11 November 2005 23:29 +0100, Fabien Germain wrote: which only works with OpenBSD >= 3.7 ( and my server is 3.5 :-( ) Upgrading is not as difficult as you think it will be.

Re: ssh brute force attacks

2005-11-11 Thread J Moore
On Fri, Nov 11, 2005 at 11:29:52PM +0100, the unit calling itself Fabien Germain wrote: > On 11/11/05, J.D. Bronson <[EMAIL PROTECTED]> wrote: > > then add a rule like this > > > > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state > > (max-src-conn-rate 3/10, overload

Re: ssh brute force attacks

2005-11-11 Thread Daniel Ouellet
stan wrote: I;ve got a machien that seems to getting atacked by what appears to be a simplistic "brute force" attck. it's getting hit multiple ties a second with bogus root login attempts, my guess is that they are trying dictionary atacks on the password for root. Any sugestions as to how to de

Re: ssh brute force attacks

2005-11-11 Thread Fabien Germain
On 11/11/05, J.D. Bronson <[EMAIL PROTECTED]> wrote: > then add a rule like this > > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state > (max-src-conn-rate 3/10, overload flush) which only works with OpenBSD >= 3.7 ( and my server is 3.5 :-( ) Fabien

Re: ssh brute force attacks

2005-11-11 Thread J.D. Bronson
At 03:57 PM 11/11/2005, Joachim Schipper wrote: On Fri, Nov 11, 2005 at 04:44:46PM -0500, stan wrote: > I;ve got a machien that seems to getting atacked by what appears to be a > simplistic "brute force" attck. it's getting hit multiple ties a second > with bogus root login attempts, my guess is

Re: ssh brute force attacks

2005-11-11 Thread Roger Neth Jr
On 11/11/05, stan <[EMAIL PROTECTED]> wrote: > I;ve got a machien that seems to getting atacked by what appears to be a > simplistic "brute force" attck. it's getting hit multiple ties a second > with bogus root login attempts, my guess is that they are trying dictionary > atacks on the password fo

Re: ssh brute force attacks

2005-11-11 Thread Joachim Schipper
On Fri, Nov 11, 2005 at 04:44:46PM -0500, stan wrote: > I;ve got a machien that seems to getting atacked by what appears to be a > simplistic "brute force" attck. it's getting hit multiple ties a second > with bogus root login attempts, my guess is that they are trying dictionary > atacks on the pa

Re: ssh brute force attacks

2005-11-11 Thread STeve Andre'
On Friday 11 November 2005 16:44, stan wrote: > I;ve got a machien that seems to getting atacked by what appears to be a > simplistic "brute force" attck. it's getting hit multiple ties a second > with bogus root login attempts, my guess is that they are trying dictionary > atacks on the password f

Re: ssh brute force attacks

2005-11-11 Thread Okan Demirmen
On Fri 2005.11.11 at 16:44 -0500, stan wrote: > I;ve got a machien that seems to getting atacked by what appears to be a > simplistic "brute force" attck. it's getting hit multiple ties a second > with bogus root login attempts, my guess is that they are trying dictionary > atacks on the password f

Re: ssh brute force attacks

2005-11-11 Thread Theo de Raadt
> I;ve got a machien that seems to getting atacked by what appears to be a > simplistic "brute force" attck. it's getting hit multiple ties a second > with bogus root login attempts, my guess is that they are trying dictionary > atacks on the password for root. > > Any sugestions as to how to deal

Re: ssh brute force attacks

2005-11-11 Thread Roy Morris
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > stan > Sent: Friday, November 11, 2005 4:45 PM > To: OpenBSD general usage list > Subject: ssh brute force attacks > > > I;ve got a machien that seems to getting atac

ssh brute force attacks

2005-11-11 Thread stan
I;ve got a machien that seems to getting atacked by what appears to be a simplistic "brute force" attck. it's getting hit multiple ties a second with bogus root login attempts, my guess is that they are trying dictionary atacks on the password for root. Any sugestions as to how to deal with this?