From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 21:44:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BE8816A4CF for ; Sat, 18 Sep 2004 21:44:56 +0000 (GMT) Received: from freebee.digiware.nl (dsl390.iae.nl [212.61.63.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BD7E43D46 for ; Sat, 18 Sep 2004 21:44:55 +0000 (GMT) (envelope-from wjw@withagen.nl) Received: from [212.61.27.71] (dual [212.61.27.71]) by freebee.digiware.nl (8.12.10/8.12.10) with ESMTP id i8ILirEg065735; Sat, 18 Sep 2004 23:44:53 +0200 (CEST) (envelope-from wjw@withagen.nl) Message-ID: <414CAC56.8020601@withagen.nl> Date: Sat, 18 Sep 2004 23:44:54 +0200 From: Willem Jan Withagen User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "David D.W. Downey" References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> In-Reply-To: <6917b781040918103077c76f0c@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 21:44:56 -0000 David D.W. Downey wrote: >On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen wrote: > > >>Hi, >> >>Is there a security problem with ssh that I've missed??? >>Ik keep getting these hords of: >> Failed password for root from 69.242.5.195 port 39239 ssh2 >>with all kinds of different source addresses. >> >>They have a shot or 15 and then they are of again, but a little later on >>they're back and keep clogging my logs. >>Is there a "easy" way of getting these ip-numbers added to the >>blocking-list of ipfw?? >> >>Thanx, >>--WjW >> >> > >well you want to see those. So long as you have > >PermitRootLogin no > >in your /etc/ssh/sshd_config, they won't be able to get in since ssh >is then denied for root (except via a valid ssh key which you can >further lock down by adding > >from="ip.addr, forward.dns.record.of.host" > >to the beginning of your ssh-dsa or ssh-rsa key line in ~/.ssh/authorized_keys) > > > It is not about all this. I know these, and I use them if appropriate. (Come to think of it, I was one of the first externals to test Wietse Venema's TCP-wrapper.) Once I have identified the nature and quality of this type of problem, I want to deal with it in such a way that it is no longer a bother. And in this particular case these records are clogging my login error records. And because of that I just might miss out on the one or two that do matter. You might want to call it noise-reduction, and I'm looking for a as large as possible Signal/Noise ratio. So that is why I would like to be able to throw root/ssh login attempts directly in the garbage and kill the host where these are coming from with a records in my firewall. --WjW