From owner-freebsd-questions@FreeBSD.ORG Fri Oct 9 21:48:15 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4B8E106566B for ; Fri, 9 Oct 2009 21:48:15 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: from mail-yw0-f197.google.com (mail-yw0-f197.google.com [209.85.211.197]) by mx1.freebsd.org (Postfix) with ESMTP id 8DC298FC0C for ; Fri, 9 Oct 2009 21:48:15 +0000 (UTC) Received: by ywh35 with SMTP id 35so20367820ywh.7 for ; Fri, 09 Oct 2009 14:48:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=K++Sp63VFhRY24SJ11XQux6vPJFVtzMnfxM4+DLgaFg=; b=Ht33wlwziuI/wdP+pagjNfpv/bbNN4kxoXzDOO00enAx2lLHX+uci5JAE+Ckx28jhC Uy8dIUobb8zekkllOrFZsp2eZAaFI3XzJYe0XW7m6gqh54a00EyMjnEGc++x/vpEMlSV nB7qKj8GDQKaaYQpgQ3ikuxhNPwohFh+ylG3k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=hkl4K0ykRfAHljsbjkQOyGaiHI2uLiMgu+oqvmTk5RpVQQX2C/yp4wKgrvcpudWrcO z/oDkY9kadZxeCSJY0MkF3xfqwo7grC/FFoAlwsvpsx8fuUrlCBYlGJK5xKyx3yg0mjQ 5TAlWQQOrVpJl3h6er9hz2KEtkOgTV0Qmwxlw= MIME-Version: 1.0 Received: by 10.150.61.20 with SMTP id j20mr5662350yba.42.1255124894904; Fri, 09 Oct 2009 14:48:14 -0700 (PDT) In-Reply-To: <526808.11391.qm@web56207.mail.re3.yahoo.com> References: <526808.11391.qm@web56207.mail.re3.yahoo.com> Date: Fri, 9 Oct 2009 16:48:14 -0500 Message-ID: <6201873e0910091448h46c13ce4h2e9df8920a8fe27a@mail.gmail.com> From: Adam Vande More To: Aflatoon Aflatooni Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Security blocking question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Oct 2009 21:48:15 -0000 On Fri, Oct 9, 2009 at 4:45 PM, Aflatoon Aflatooni wrote: > Hi, > The production server that has a public IP address has SSH enabled. This > server is continuously under dictionary attack: > Oct 8 12:58:40 seven sshd[32248]: Invalid user europa from 83.65.199.91 > Oct 8 12:58:40 seven sshd[32250]: Invalid user hacked from 83.65.199.91 > Oct 8 12:58:40 seven sshd[32251]: Invalid user cop\r from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32254]: Invalid user gel from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32255]: Invalid user dork from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32258]: Invalid user eva from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32260]: Invalid user hacker from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32261]: Invalid user copila\r from 83.65.199.91 > Oct 8 12:58:42 seven sshd[32265]: Invalid user dorna from 83.65.199.91 > Oct 8 12:58:42 seven sshd[32264]: Invalid user gelo from 83.65.199.91 > Oct 8 12:58:42 seven sshd[32268]: Invalid user evara from 83.65.199.91 > Oct 8 12:58:43 seven sshd[32270]: Invalid user hack from 83.65.199.91 > Oct 8 12:58:43 seven sshd[32271]: Invalid user copil\r from 83.65.199.91 > Oct 8 12:58:43 seven sshd[32274]: Invalid user Doubled from 83.65.199.91 > Oct 8 12:58:43 seven sshd[32275]: Invalid user gelos from 83.65.199.91 > Oct 8 12:58:44 seven sshd[32278]: Invalid user eve from 83.65.199.91 > > Is there a way that I could configure the server so that if there are for > example X attempts from an IP address then for the next Y hours all the SSH > requests would be ignored from that IP address? > There are only a handful of people who have access to that server. > > Thanks > > /usr/ports/security/denyhosts -- Adam Vande More