Menu
▾
▴
sshguard-users
|
From: <li...@la...> - 2017-01-22 10:54:06
|
From FreeBsd auth.log: ---------------------------------- Jan 22 04:16:13 theranch sshd[48754]: fatal: Unable to negotiate with 198.50.142.115 port 57860: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [pre auth] --------------------- I suppose this is an odd case for an ssh login attempt, but I figured I'd post it for what it is worth. Sshguard didn't block the IP. Now I suppose you can say if the key exchange method isn't supported, they will never get it, but it seems to me that could leave the system open to some exploit. I'm still on rev 1.7. IP is OVH. Oh, I'm shocked. ;-) |
|
From: Daniel A. <co...@da...> - 2017-01-22 21:55:29
|
On Sun, Jan 22, 2017, at 11:53, li...@la... wrote: > >From FreeBsd auth.log: > ---------------------------------- > Jan 22 04:16:13 theranch sshd[48754]: fatal: Unable to negotiate with > 198.50.142.115 port 57860: no matching key exchange method found. Their > offer: diffie-hellman-group1-sha1 [pre auth] > --------------------- > I suppose this is an odd case for an ssh login attempt, but I figured > I'd post it for what it is worth. Sshguard didn't block the IP. Now I > suppose you can say if the key exchange method isn't supported, they > will never get it, but it seems to me that could leave the system open > to some exploit. Hm. Wouldn’t that potentially block some legitimate clients that are trying to negotiate a connection? > I'm still on rev 1.7. > > IP is OVH. Oh, I'm shocked. ;-) -- Daniel Aleksandersen |
|
From: <li...@la...> - 2017-01-22 22:55:01
|
Ha, I am the only legitimate client. ;-) Besides, if I don't support the standard, nothing will get through. I caught some OVH VPS hammering my email server with an outmoded crypto, which was related to poodle and/or heartbleed. http://disablessl3.com/ SHA1 is out of favor these days. Commercially they won't issue certs with SHA1. http://arstechnica.com/security/2016/05/microsoft-to-retire-support-for-sha1-certificates-in-the-next-4-months/ One of those Chinese certs was "illegally" (as if certs have any legal standing) issuing SHA1 certs. WoSign I think. My philosophy is if someone is doing goofy stuff, block them. Today you can repel them, but tomorrow there may be a zero day. In any event, these clowns can flood a service. I've been reluctant to use the ipfw table 22 the sshguard generates for anything other than port 22, but I think I will add Web and email rules. Just not port 25 because that would probably block some legitimate email. I have a number of blocks on email other than port 25, and some days block 30 or so IP addresses trying to hack the ports. I traced one supposed hacker to a (cough cough) research team claiming to be doing a survey on email ports. They provided CIDRs, so I guess they were really doing research. On the other hand, the University of Michigan attempts to mess with my imap on a daily basis, and attempts to contact them via email go nowhere. Obviously they get firewall blocked now except on 25. Original Message From: Daniel Aleksandersen Sent: Sunday, January 22, 2017 1:55 PM To: ssh...@li... Subject: Re: [SSHGuard-users] Auth error ignored by sshguard On Sun, Jan 22, 2017, at 11:53, li...@la... wrote: > >From FreeBsd auth.log: > ---------------------------------- > Jan 22 04:16:13 theranch sshd[48754]: fatal: Unable to negotiate with > 198.50.142.115 port 57860: no matching key exchange method found. Their > offer: diffie-hellman-group1-sha1 [pre auth] > --------------------- > I suppose this is an odd case for an ssh login attempt, but I figured > I'd post it for what it is worth. Sshguard didn't block the IP. Now I > suppose you can say if the key exchange method isn't supported, they > will never get it, but it seems to me that could leave the system open > to some exploit. Hm. Wouldn’t that potentially block some legitimate clients that are trying to negotiate a connection? > I'm still on rev 1.7. > > IP is OVH. Oh, I'm shocked. ;-) -- Daniel Aleksandersen ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Reshey <re...@gm...> - 2017-01-24 16:05:34
|
New to this mailing list thing. sorry if I sent it two times. --Thank you for your replay I got sshguard working in OpenBSD 6.0. It seems the problem was, I had enforced key based login for ssh. Question : Is it possible for sshguard to ban bruteforcer, while having password login disabled? sshguard bans user who fails password login, but does nothing to brutforcers who is trying while password login is disabled. Attached log: # I hammer server from putty, with no key file. sshd is set to ONLY accept key based login. sshguard does not ban this "attacker". Jan 24 16:03:12 wall sshd[99571]: Received disconnect from 176.11.88.222 port 49902:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:12 wall sshd[99571]: Disconnected from 176.11.88.222 port 49902 [preauth] Jan 24 16:03:16 wall sshd[25553]: Received disconnect from 176.11.88.222 port 49903:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:16 wall sshd[25553]: Disconnected from 176.11.88.222 port 49903 [preauth] Jan 24 16:03:21 wall sshd[78292]: Received disconnect from 176.11.88.222 port 49904:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:21 wall sshd[78292]: Disconnected from 176.11.88.222 port 49904 [preauth] Jan 24 16:03:25 wall sshd[61028]: Received disconnect from 176.11.88.222 port 49905:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:25 wall sshd[61028]: Disconnected from 176.11.88.222 port 49905 [preauth] Jan 24 16:03:28 wall sshd[47277]: Received disconnect from 176.11.88.222 port 49907:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:28 wall sshd[47277]: Disconnected from 176.11.88.222 port 49907 [preauth] Jan 24 16:03:31 wall sshd[3940]: Received disconnect from 176.11.88.222 port 49908:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:31 wall sshd[3940]: Disconnected from 176.11.88.222 port 49908 [preauth] Jan 24 16:03:34 wall sshd[94581]: Received disconnect from 176.11.88.222 port 49909:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:34 wall sshd[94581]: Disconnected from 176.11.88.222 port 49909 [preauth] Jan 24 16:03:35 wall sshd[61363]: Connection closed by 123.183.209.132 port 64750 [preauth] Jan 24 16:03:40 wall sshd[31923]: Received disconnect from 176.11.88.222 port 49910:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:40 wall sshd[31923]: Disconnected from 176.11.88.222 port 49910 [preauth] Jan 24 16:03:46 wall sshd[13880]: Received disconnect from 176.11.88.222 port 49911:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:46 wall sshd[13880]: Disconnected from 176.11.88.222 port 49911 [preauth] Jan 24 16:04:50 wall sshd[80716]: Received disconnect from 123.183.209.132 port 53406:11: [preauth] Jan 24 16:04:50 wall sshd[80716]: Disconnected from 123.183.209.132 port 53406 [preauth] # I then changed sshd to accept password login, and restarted sshd. Jan 24 16:05:22 wall sshd[75937]: Received signal 15; terminating. Jan 24 16:05:22 wall sshd[73886]: Server listening on 0.0.0.0 port 22. Jan 24 16:05:22 wall sshd[73886]: Server listening on :: port 22. # I continue o hammer from putty, at the sever. Now sshguard bans "attacker" Jan 24 16:06:06 wall sshd[75413]: Failed password for xxx from 176.11.88.222 port 49945 ssh2 Jan 24 16:06:06 wall sshd[75413]: Received disconnect from 176.11.88.222 port 49945:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:06:06 wall sshd[75413]: Disconnected from 176.11.88.222 port 49945 [preauth] Jan 24 16:06:06 wall sshd[18262]: Failed password for root from 123.183.209.132 port 61962 ssh2 Jan 24 16:06:07 wall sshd[18262]: Failed password for root from 123.183.209.132 port 61962 ssh2 Jan 24 16:06:09 wall sshd[35947]: Failed password for xxx from 176.11.88.222 port 49946 ssh2 Jan 24 16:06:09 wall sshd[35947]: Received disconnect from 176.11.88.222 port 49946:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:06:09 wall sshd[35947]: Disconnected from 176.11.88.222 port 49946 [preauth] Jan 24 16:06:12 wall sshd[18262]: Received disconnect from 123.183.209.132 port 61962:11: [preauth] Jan 24 16:06:12 wall sshd[18262]: Disconnected from 123.183.209.132 port 61962 [preauth] Jan 24 16:06:12 wall sshd[29005]: Failed password for xxx from 176.11.88.222 port 49947 ssh2 Jan 24 16:06:12 wall sshd[29005]: Received disconnect from 176.11.88.222 port 49947:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:06:12 wall sshd[29005]: Disconnected from 176.11.88.222 port 49947 [preauth] Jan 24 16:06:15 wall sshd[22704]: Failed password for xxx from 176.11.88.222 port 49948 ssh2 Jan 24 16:06:15 wall sshd[22704]: Received disconnect from 176.11.88.222 port 49948:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:06:15 wall sshd[22704]: Disconnected from 176.11.88.222 port 49948 [preauth] Jan 24 16:06:15 wall sshguard[42310]: Blocking 176.11.88.222:4 for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s) On Sun, Jan 22, 2017 at 11:54 PM, <li...@la...> wrote: > Ha, I am the only legitimate client. ;-) Besides, if I don't support the > standard, nothing will get through. I caught some OVH VPS hammering my > email server with an outmoded crypto, which was related to poodle and/or > heartbleed. > http://disablessl3.com/ > > SHA1 is out of favor these days. Commercially they won't issue certs with > SHA1. > http://arstechnica.com/security/2016/05/microsoft-to-retire- > support-for-sha1-certificates-in-the-next-4-months/ > > One of those Chinese certs was "illegally" (as if certs have any legal > standing) issuing SHA1 certs. WoSign I think. > > My philosophy is if someone is doing goofy stuff, block them. Today you > can repel them, but tomorrow there may be a zero day. In any event, these > clowns can flood a service. > > I've been reluctant to use the ipfw table 22 the sshguard generates for > anything other than port 22, but I think I will add Web and email rules. > Just not port 25 because that would probably block some legitimate email. > > I have a number of blocks on email other than port 25, and some days > block 30 or so IP addresses trying to hack the ports. I traced one supposed > hacker to a (cough cough) research team claiming to be doing a survey on > email ports. They provided CIDRs, so I guess they were really doing > research. On the other hand, the University of Michigan attempts to mess > with my imap on a daily basis, and attempts to contact them via email go > nowhere. Obviously they get firewall blocked now except on 25. > > > Original Message > From: Daniel Aleksandersen > Sent: Sunday, January 22, 2017 1:55 PM > To: ssh...@li... > Subject: Re: [SSHGuard-users] Auth error ignored by sshguard > > On Sun, Jan 22, 2017, at 11:53, li...@la... wrote: > > >From FreeBsd auth.log: > > ---------------------------------- > > Jan 22 04:16:13 theranch sshd[48754]: fatal: Unable to negotiate with > > 198.50.142.115 port 57860: no matching key exchange method found. Their > > offer: diffie-hellman-group1-sha1 [pre auth] > > --------------------- > > I suppose this is an odd case for an ssh login attempt, but I figured > > I'd post it for what it is worth. Sshguard didn't block the IP. Now I > > suppose you can say if the key exchange method isn't supported, they > > will never get it, but it seems to me that could leave the system open > > to some exploit. > > Hm. Wouldn’t that potentially block some legitimate clients that are > trying to negotiate a connection? > > > I'm still on rev 1.7. > > > > IP is OVH. Oh, I'm shocked. ;-) > -- > Daniel Aleksandersen > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
|
From: <li...@la...> - 2017-01-24 19:31:10
|
<html><head></head><body lang="en-US" style="background-color: rgb(255, 255, 255); line-height: initial;"> <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">I see your point, but in reality, you will only be hit three times in a brute force attack. You won't get flooded. If they snowshoe, I suppose that is a different story.</div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><br></div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">My VPS only allows a key based login on ssh, but their distribution of FreeBSD leaves the password login open. Not being familiar with FreeBSD or keygen type login, I didn't know to disable the password auth. But I figure that the list of IPs collected by sshguard is useful info in that it can be used to block other services. </div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><span style="font-size: initial; line-height: initial; text-align: initial;"><br></span></div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><span style="font-size: initial; line-height: initial; text-align: initial;">I can tell you that a full scan from zenmap will earn you a block from sshguard, so the IP gathering isn't exactly useless if you want to block probers. I ran zenmap as a pen test and blocked my own access. I had to tether through my phone to get back in and delete my IP from the table. </span></div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><span style="font-size: initial; line-height: initial; text-align: initial;"><br></span></div> <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><br style="display:initial"></div> <div style="font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"></div> <table width="100%" style="background-color:white;border-spacing:0px;"> <tbody><tr><td colspan="2" style="font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"> <div style="border-style: solid none none; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding: 3pt 0in 0in; font-family: Tahoma, 'BB Alpha Sans', 'Slate Pro'; font-size: 10pt;"> <div><b>From: </b>Reshey</div><div><b>Sent: </b>Tuesday, January 24, 2017 8:05 AM</div><div><b>To: </b>ssh...@li...</div><div><b>Subject: </b>[SSHGuard-users] Fwd: Auth error ignored by sshguard</div></div></td></tr></tbody></table><div style="border-style: solid none none; border-top-color: rgb(186, 188, 209); border-top-width: 1pt; font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"></div><br><div id="_originalContent" style=""><div dir="ltr">New to this mailing list thing. sorry if I sent it two times.<div><br><div class="gmail_quote">--Thank you for your replay<div dir="ltr"><div><br></div><div><div>I got sshguard working in OpenBSD 6.0. </div><div>It seems the problem was, I had enforced key based login for ssh.</div><div><br></div><div>Question : Is it possible for sshguard to ban bruteforcer, while having password login disabled?</div><div>sshguard bans user who fails password login, but does nothing to brutforcers who is trying while password login is disabled.</div><div>Attached log:</div><div><br></div><div># I hammer server from putty, with no key file. sshd is set to ONLY accept key based login. sshguard does not ban this "attacker". </div><div><br></div><div>Jan 24 16:03:12 wall sshd[99571]: Received disconnect from 176.11.88.222 port 49902:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:12 wall sshd[99571]: Disconnected from 176.11.88.222 port 49902 [preauth]</div><div>Jan 24 16:03:16 wall sshd[25553]: Received disconnect from 176.11.88.222 port 49903:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:16 wall sshd[25553]: Disconnected from 176.11.88.222 port 49903 [preauth]</div><div>Jan 24 16:03:21 wall sshd[78292]: Received disconnect from 176.11.88.222 port 49904:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:21 wall sshd[78292]: Disconnected from 176.11.88.222 port 49904 [preauth]</div><div>Jan 24 16:03:25 wall sshd[61028]: Received disconnect from 176.11.88.222 port 49905:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:25 wall sshd[61028]: Disconnected from 176.11.88.222 port 49905 [preauth]</div><div>Jan 24 16:03:28 wall sshd[47277]: Received disconnect from 176.11.88.222 port 49907:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:28 wall sshd[47277]: Disconnected from 176.11.88.222 port 49907 [preauth]</div><div>Jan 24 16:03:31 wall sshd[3940]: Received disconnect from 176.11.88.222 port 49908:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:31 wall sshd[3940]: Disconnected from 176.11.88.222 port 49908 [preauth]</div><div>Jan 24 16:03:34 wall sshd[94581]: Received disconnect from 176.11.88.222 port 49909:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:34 wall sshd[94581]: Disconnected from 176.11.88.222 port 49909 [preauth]</div><div>Jan 24 16:03:35 wall sshd[61363]: Connection closed by 123.183.209.132 port 64750 [preauth]</div><div>Jan 24 16:03:40 wall sshd[31923]: Received disconnect from 176.11.88.222 port 49910:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:40 wall sshd[31923]: Disconnected from 176.11.88.222 port 49910 [preauth]</div><div>Jan 24 16:03:46 wall sshd[13880]: Received disconnect from 176.11.88.222 port 49911:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:46 wall sshd[13880]: Disconnected from 176.11.88.222 port 49911 [preauth]</div><div>Jan 24 16:04:50 wall sshd[80716]: Received disconnect from 123.183.209.132 port 53406:11: [preauth]</div><div>Jan 24 16:04:50 wall sshd[80716]: Disconnected from 123.183.209.132 port 53406 [preauth]</div><div><br></div><div><br></div><div># I then changed sshd to accept password login, and restarted sshd.</div><div>Jan 24 16:05:22 wall sshd[75937]: Received signal 15; terminating.</div><div>Jan 24 16:05:22 wall sshd[73886]: Server listening on 0.0.0.0 port 22.</div><div>Jan 24 16:05:22 wall sshd[73886]: Server listening on :: port 22.</div><div><br></div><div># I continue o hammer from putty, at the sever. Now sshguard bans "attacker"</div><div><br></div><div>Jan 24 16:06:06 wall sshd[75413]: Failed password for xxx from 176.11.88.222 port 49945 ssh2</div><div>Jan 24 16:06:06 wall sshd[75413]: Received disconnect from 176.11.88.222 port 49945:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:06:06 wall sshd[75413]: Disconnected from 176.11.88.222 port 49945 [preauth]</div><div>Jan 24 16:06:06 wall sshd[18262]: Failed password for root from 123.183.209.132 port 61962 ssh2</div><div>Jan 24 16:06:07 wall sshd[18262]: Failed password for root from 123.183.209.132 port 61962 ssh2</div><div>Jan 24 16:06:09 wall sshd[35947]: Failed password for xxx from 176.11.88.222 port 49946 ssh2</div><div>Jan 24 16:06:09 wall sshd[35947]: Received disconnect from 176.11.88.222 port 49946:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:06:09 wall sshd[35947]: Disconnected from 176.11.88.222 port 49946 [preauth]</div><div>Jan 24 16:06:12 wall sshd[18262]: Received disconnect from 123.183.209.132 port 61962:11: [preauth]</div><div>Jan 24 16:06:12 wall sshd[18262]: Disconnected from 123.183.209.132 port 61962 [preauth]</div><div>Jan 24 16:06:12 wall sshd[29005]: Failed password for xxx from 176.11.88.222 port 49947 ssh2</div><div>Jan 24 16:06:12 wall sshd[29005]: Received disconnect from 176.11.88.222 port 49947:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:06:12 wall sshd[29005]: Disconnected from 176.11.88.222 port 49947 [preauth]</div><div>Jan 24 16:06:15 wall sshd[22704]: Failed password for xxx from 176.11.88.222 port 49948 ssh2</div><div>Jan 24 16:06:15 wall sshd[22704]: Received disconnect from 176.11.88.222 port 49948:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:06:15 wall sshd[22704]: Disconnected from 176.11.88.222 port 49948 [preauth]</div><div>Jan 24 16:06:15 wall sshguard[42310]: Blocking <a href="http://176.11.88.222:4" target="_blank">176.11.88.222:4</a> for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses </div><div>over 9s)</div><div><br></div><div><br></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jan 22, 2017 at 11:54 PM, <span dir="ltr"><<a href="mailto:li...@la..." target="_blank">li...@la...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ha, I am the only legitimate client. ;-) Besides, if I don't support the standard, nothing will get through. I caught some OVH VPS hammering my email server with an outmoded crypto, which was related to poodle and/or heartbleed.<br> <a href="http://disablessl3.com/" rel="noreferrer" target="_blank">http://disablessl3.com/</a><br> <br> SHA1 is out of favor these days. Commercially they won't issue certs with SHA1.<br> <a href="http://arstechnica.com/security/2016/05/microsoft-to-retire-support-for-sha1-certificates-in-the-next-4-months/" rel="noreferrer" target="_blank">http://arstechnica.com/securit<wbr>y/2016/05/microsoft-to-retire-<wbr>support-for-sha1-certificates-<wbr>in-the-next-4-months/</a><br> <br> One of those Chinese certs was "illegally" (as if certs have any legal standing) issuing SHA1 certs. WoSign I think.<br> <br> My philosophy is if someone is doing goofy stuff, block them. Today you can repel them, but tomorrow there may be a zero day. In any event, these clowns can flood a service. <br> <br> I've been reluctant to use the ipfw table 22 the sshguard generates for anything other than port 22, but I think I will add Web and email rules. Just not port 25 because that would probably block some legitimate email. <br> <br> I have a number of blocks on email other than port 25, and some days block 30 or so IP addresses trying to hack the ports. I traced one supposed hacker to a (cough cough) research team claiming to be doing a survey on email ports. They provided CIDRs, so I guess they were really doing research. On the other hand, the University of Michigan attempts to mess with my imap on a daily basis, and attempts to contact them via email go nowhere. Obviously they get firewall blocked now except on 25.<br> <br> <br> Original Message <br> From: Daniel Aleksandersen<br> Sent: Sunday, January 22, 2017 1:55 PM<br> To: <a href="mailto:ssh...@li..." target="_blank">ssh...@li...urcefor<wbr>ge.net</a><br> Subject: Re: [SSHGuard-users] Auth error ignored by sshguard<br> <div class="m_-7452452538434328909HOEnZb"><div class="m_-7452452538434328909h5"><br> On Sun, Jan 22, 2017, at 11:53, <a href="mailto:li...@la..." target="_blank">li...@la...</a> wrote:<br> > >From FreeBsd auth.log:<br> > ------------------------------<wbr>----<br> > Jan 22 04:16:13 theranch sshd[48754]: fatal: Unable to negotiate with<br> > 198.50.142.115 port 57860: no matching key exchange method found. Their<br> > offer: diffie-hellman-group1-sha1 [pre auth]<br> > ---------------------<br> > I suppose this is an odd case for an ssh login attempt, but I figured<br> > I'd post it for what it is worth. Sshguard didn't block the IP. Now I<br> > suppose you can say if the key exchange method isn't supported, they<br> > will never get it, but it seems to me that could leave the system open<br> > to some exploit.<br> <br> Hm. Wouldn’t that potentially block some legitimate clients that are<br> trying to negotiate a connection?<br> <br> > I'm still on rev 1.7.<br> ><br> > IP is OVH. Oh, I'm shocked. ;-)<br> --<br> Daniel Aleksandersen<br> <br> ------------------------------<wbr>------------------------------<wbr>------------------<br> Check out the vibrant tech community on one of the world's most<br> engaging tech sites, SlashDot.org! <a href="http://sdm.link/slashdot" rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br> ______________________________<wbr>_________________<br> sshguard-users mailing list<br> <a href="mailto:ssh...@li..." target="_blank">ssh...@li...urcefor<wbr>ge.net</a><br> <a href="https://lists.sourceforge.net/lists/listinfo/sshguard-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/sshguard-users</a><br> <br> ------------------------------<wbr>------------------------------<wbr>------------------<br> Check out the vibrant tech community on one of the world's most<br> engaging tech sites, SlashDot.org! <a href="http://sdm.link/slashdot" rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br> ______________________________<wbr>_________________<br> sshguard-users mailing list<br> <a href="mailto:ssh...@li..." target="_blank">ssh...@li...urcefor<wbr>ge.net</a><br> <a href="https://lists.sourceforge.net/lists/listinfo/sshguard-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/sshguard-users</a><br> </div></div></blockquote></div><br></div> </div></div></div><br></div></div> <br><!--end of _originalContent --></div></body></html> |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X