From owner-freebsd-security@FreeBSD.ORG  Sun Sep 19 09:33:46 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 34F2016A4CE
	for <freebsd-security@freebsd.org>;
	Sun, 19 Sep 2004 09:33:46 +0000 (GMT)
Received: from mail01.powweb.com (mail01.powweb.com [66.152.97.34])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1CE8343D53
	for <freebsd-security@freebsd.org>;
	Sun, 19 Sep 2004 09:33:46 +0000 (GMT)
	(envelope-from mikhailg@webanoide.org)
Received: from [127.0.0.1] (ppp110-78.lns1.hba1.internode.on.net
	[150.101.110.78])
	by mail01.powweb.com (Postfix) with ESMTP id 4CCF34148C;
	Sun, 19 Sep 2004 02:33:45 -0700 (PDT)
Message-ID: <414D5241.9020901@webanoide.org>
Date: Sun, 19 Sep 2004 19:32:49 +1000
From: Mikhail Goriachev <mikhailg@webanoide.org>
User-Agent: Mozilla Thunderbird 0.7.3 (Windows/20040803)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Antony Mawer <fbsd-security@mawer.org>
References: <20040918142955.61586.qmail@web51007.mail.yahoo.com>
	<414CE5E8.6000103@mawer.org>
In-Reply-To: <414CE5E8.6000103@mawer.org>
X-Enigmail-Version: 0.85.0.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-security@freebsd.org
Subject: Re: Attacks on ssh port
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Sep 2004 09:33:46 -0000

Antony Mawer wrote:
> Chris Ryan wrote:
> 
>>protection - with the appropriate active firewall that
>>blocks their IP address after x failed attempts
>>permanently....
> 
> 
> Has anyone found any good scripts or utilities for automating this kind 
> of thing? I too have been subject to these probings, and my initial 
> thought was to firewall off any address after any number of incorrect 
> attempts.
> 
> While I could write a script to parse the ipfilter logs, I didn't want 
> to go re-inventing the wheel for something which I was sure someone 
> would have already attempted.
> 
> Anyone have any suggestions?
> 
> Cheers
> Antony

Is it actually good idea to block those IPs? I get lots of attacks too 
on daily basis on my machines for: root, man, smmsp, nobody, bin, 
daemon, tty, uucp, mailnull, you-name-it etc. For several weeks I sent 
e-mails to abuse@{$attack-comming-from-x-network}.{$domain} and 0.01% of 
them replied. However, the attacks never come from same networks nor IPs.

My 2 cents.

Cheers,
Mikhail