Date: Sat, 18 Sep 2004 23:44:54 +0200 From: Willem Jan Withagen <wjw@withagen.nl> To: "David D.W. Downey" <david.downey@gmail.com> Cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@freebsd.org> Subject: Re: Attacks on ssh port Message-ID: <414CAC56.8020601@withagen.nl> In-Reply-To: <6917b781040918103077c76f0c@mail.gmail.com> References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
David D.W. Downey wrote: >On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen <wjw@withagen.nl> wrote: > > >>Hi, >> >>Is there a security problem with ssh that I've missed??? >>Ik keep getting these hords of: >> Failed password for root from 69.242.5.195 port 39239 ssh2 >>with all kinds of different source addresses. >> >>They have a shot or 15 and then they are of again, but a little later on >>they're back and keep clogging my logs. >>Is there a "easy" way of getting these ip-numbers added to the >>blocking-list of ipfw?? >> >>Thanx, >>--WjW >> >> > >well you want to see those. So long as you have > >PermitRootLogin no > >in your /etc/ssh/sshd_config, they won't be able to get in since ssh >is then denied for root (except via a valid ssh key which you can >further lock down by adding > >from="ip.addr, forward.dns.record.of.host" > >to the beginning of your ssh-dsa or ssh-rsa key line in ~/.ssh/authorized_keys) > > > It is not about all this. I know these, and I use them if appropriate. (Come to think of it, I was one of the first externals to test Wietse Venema's TCP-wrapper.) Once I have identified the nature and quality of this type of problem, I want to deal with it in such a way that it is no longer a bother. And in this particular case these records are clogging my login error records. And because of that I just might miss out on the one or two that do matter. You might want to call it noise-reduction, and I'm looking for a as large as possible Signal/Noise ratio. So that is why I would like to be able to throw root/ssh login attempts directly in the garbage and kill the host where these are coming from with a records in my firewall. --WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414CAC56.8020601>