SoylentNews is people
SoylentNews
I'm in the middle of installing KDE on a FreeBSD machine. I was trying to figure out why one of the required files isn't on the server, and a bunch of messages popped up telling me that sshd had dutifully rejected some failed login attempts. There were multiple invalid attempts from user-IDs that one might commonly have (admin, oracle, etc.) all from the same IP. I'd rather just find my file now. It's good to know my passwords are reasonably secure... but maybe time to shut down any unnecessary services first. Since Windows doesn't do an "in your face" alert in to a console like this; I kind of wonder how often this has been happening all along. Are these Bozos why I get lag in games? I'll come back to this later. The IP? It's in Beijing and has a listed abuse contact.
I'm sure I'm not the only one to get this kind of thing. What do the rest of you do? Is there any value in contacting the listed abuse contact, or is that just another way for them to realize they have a "live one"?
(Score: 1, Interesting) by Anonymous Coward on Friday February 11 2022, @05:35PM (4 children)
Once the server is set up, set sshd to certificates only and listening on a wireguard interface. These bot-attacks are just annoying log-spam.
(Score: 2) by istartedi on Friday February 11 2022, @06:04PM (3 children)
Fortunately, I don't even need to remotely login to this machine.
I've shut down sshd and sendmail in rc.conf. It's literally been 14 years since I've used vi. Once I got the incantations off the BSD forums, I can't believe I actually remembered how to edit the files, LOL.
I know there are desktop oriented flavors of BSD out there, but I wanted to go with the one that has the largest user base. I wonder if those desktop oriented versions enable those services by default. I would think "no", unless the inertia of customs carries it forward.
Appended to the end of comments you post. Max: 120 chars.
(Score: 1, Informative) by Anonymous Coward on Friday February 11 2022, @06:11PM
GhostBSD is a FreeBSD distribution that provides a desktop-oriented setup out of the box. A lot of people seem to like it.
(Score: 2) by drussell on Friday February 11 2022, @07:27PM
ee (easy editor) is also in the base system to do simple text editing tasks. Much nicer than ed when you've forgotten how to drive vi proficiently. YMMV.
Personally I'm still used to using pico (nano, whatever) as my go-to editor.
(Score: 2) by RS3 on Friday February 11 2022, @10:11PM
I can (and do ugh) use vi if I have to, but ugh. Very long ago I stumbled onto full-screen text editor "joe" ("joe's own editor).
https://joe-editor.sourceforge.io [sourceforge.io]
For me, it's just awesome, and it's one of the first things I install on any *nix I build / admin.
I remote admin many machines, and for sure, disable root login for sshd.
In routers, if possible, I block wide ranges of source IP addresses to include many known problematic places. That won't stop a botnet attack, but it helps. Also I use IP blockers that watch for x number of guesses and block the IP.
I haven't done this, but some people change the IP port for things like sshd access.
(Score: 2) by drussell on Friday February 11 2022, @05:39PM (11 children)
Very common automated attacks, just looking for all those poorly secured to downright defective routers, internet ofthings devices (internet of security holes?) and other OSes built like Swiss cheese...
My servers often see dozens to hundreds (to thousands or more) of such attempts per day.
Unless the same IP range is spamblasting you with packets to the point that it's affecting your connectivity, it's probably not worth even trying to alert any upstream admins as they're unlikely to do anything about their customers' actions as long as they're continuing to pay their connectivity bills. YMMV.
(Score: 2) by istartedi on Friday February 11 2022, @06:13PM (7 children)
Yeah, I tend to agree. I decided to disable sshd and sendmail (see my reply to the AC) and since I was getting re-acquainted with BSD I also took a look at my logfile and saw that this has been happening almost as soon as I put the box online. I think the only reason I didn't notice earlier is that the notifications were interleaved with all the install/compiler output.
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by drussell on Friday February 11 2022, @07:34PM (6 children)
I normally do most of my actual login-ned "work" stuff on ttyv1 or higher, leaving ttyv0 basically just for the console log, never even actually logging in. This makes it easy to pop back over using ALT-F1 to see console output instead of tailing /var/log/messages or whatever.
(Score: 2) by drussell on Friday February 11 2022, @07:37PM (5 children)
🤦
(Score: 2) by drussell on Friday February 11 2022, @07:39PM (4 children)
(Score: 2) by drussell on Friday February 11 2022, @07:41PM (2 children)
You can't say & # 6 0 even in a "code" block?
Geez, am I new here or something?!
(Score: 2) by istartedi on Friday February 11 2022, @07:48PM (1 child)
I'm not sure what you wanted, but I saw some kind of emoji that looks like crap on my (Windows) machine. It looks like a gold coin with an orange strong-arm in front of it, whatever that means. Maybe it'll look better once KDE is done compiling. :)
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by drussell on Friday February 11 2022, @07:56PM
That's a :facepalm: emoji, but that wasn't what I was facepalming about...
It was the lack of a "bold off" code I was facepalming about...
(Score: 3, Informative) by deimtee on Friday February 11 2022, @07:59PM
If you put < or > then it converts to < or > on preview and fails on submit.
You need to put < or > - the semi-colon stops it converting.
No problem is insoluble, but at Ksp = 2.943×10−25 Mercury Sulphide comes close.
(Score: 0) by Anonymous Coward on Friday February 11 2022, @06:33PM (1 child)
Yes, this is correct. They're just worms and, provided you keep your systems updated, you shouldn't have to worry about them. Short of disconnecting from the internet altogether or somehow getting your ISP to filter such spam traffic, it's just something you have to deal with. I've seen worms like this for over a decade and, unfortunately, seen poorly-secured servers at a university get compromised by such a worm. Nobody paid attention and the infected system was attacking other systems until network admins disconnected the port and forced the machine offline until it was secured again.
(Score: 0) by Anonymous Coward on Friday February 11 2022, @07:07PM
My experience back in my sysadmin days was that Universities usually responded to valid abuse claims. For Chinese IPs, the solution was always to drop all packets from the entire netblock. Software like fail2ban and later sshguard [sshguard.net] made that unnecessary.
(Score: 0) by Anonymous Coward on Friday February 11 2022, @10:38PM
My advice for home users is to never contact abuse contacts unless you are absolutely sure they are reputable and never give them your exact address. If they press you for that, which reputable places will not, just give them your delegation. For example, if SN was getting blasted by bots, they should not tell them that "my machine at 23.239.29.31 is getting 20 attempts per second from 256.73.29.4." Instead, tell them your address at 23.239.0.0/19 (or "at Linode") is getting hit. However, many of the major abuse departments won't bug you for an address because either they can easily determine that source address is spewing crap or your address isn't going to help much. In addition, if you are dealing with a place that isn't reputable or just forwards your complaint on to the customer (DADT), then you've confirmed your address is live and may not have someone with a lot of experience behind it. The final thing to note is that real abuse often gets caught after awhile, won't go away even with complaints, or the attacker changes addresses anyway.
(Score: 4, Interesting) by https on Friday February 11 2022, @07:07PM (2 children)
If you *must* have sshd running, switch to a different port. It saves a shitload of time digging through log files "just in case." Things logged on an alternate port are actually worth concerning yourself with. Treat your time as valuable!
When I was a junior sysadmin, It was a shock to see denyhosts (yeah, I know, fail2ban) regularly taking up 5% of CPU power and adding hundreds of IPs per hour. The senior eventually got the OK to chang the port. Then, nothing forever after and denyhosts lived in swap. Or not, I dunno, but it sure stopped living on page one of top.
Offended and laughing about it.
(Score: 1) by istartedi on Friday February 11 2022, @07:46PM (1 child)
Fortunately I don't need it and disabled it. The port trick is nice though. I'll consider that if I ever decide I want access. Living proof that security through obscurity can work; but I think the point was always that it can't be your *only* method of security.
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by Freeman on Monday February 14 2022, @02:47PM
Security through obscurity just hopefully keeps you from being an obvious target. You just can't assume that, though. Thus, need actual security to back it up.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Sunday February 13 2022, @03:23AM
Your public ssh port should be different[1] from your internal ssh port which you might keep at 22 for your own convenience. This reduces your exposure to "zerodays" exploits (not 100% but it means they need to have found your your ssh port first).
If possible add firewall rules to limit ssh access to IP ranges that you and your users will use (e.g. popular ISPs etc).
Next install something like sshguard to block IPs/IP ranges that are trying to brute force your SSH server despite it being on a nonstandard port and despite the restrictions.
[1] Which is why I have contempt for those who dream of and push an IPv6 world where "everyone" knows your public IPv6 and have "unhindered communications" with just "properly configured firewalls" to keep stuff out. Those are the idiots who never learned IT Security. Defense in depth, learn it. Someone on the internet can't talk to my machine easily even if one day there's a stupid "bug" that disables the firewall while stuff is starting up? Well that's the fucking idea! There's at least one "firewall" out there which clears the firewall rules just because it thinks the gateway is down. Go figure. Gateways can appear to be down even if they aren't (e.g. they stop responding to pings for some reason while still forwarding traffic).