Date: Tue, 4 Mar 2003 11:26:20 -0600 From: "Kevin Kinsey, DaleCo, S.P." <kdk@daleco.biz> To: "YOU" <trodat@server1.ultratrends.com>, "Phillip Smith (mailing list)" <lists@3bags.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: hacking attempts? Message-ID: <03b901c2e273$2e51bba0$0100a8c0@DaleCoportable> References: <Pine.BSF.4.21.0303040902590.40517-100000@server1.ultratrends.com>
next in thread | previous in thread | raw e-mail | index | archive | help
From: "YOU" <trodat@server1.ultratrends.com> To: "Phillip Smith (mailing list)" <lists@3bags.com> Cc: <freebsd-questions@FreeBSD.ORG> Sent: Tuesday, March 04, 2003 10:06 AM Subject: Re: hacking attempts? > On Tue, 4 Mar 2003, Phillip Smith (mailing list) wrote: > > > > > I found this in my logs and I'm wondering if this is a hacking attempt? > > Should I be concerned? > > > > Also, if/when I see these, I'd like to add them to a blocked list using > > /sbin/ipfw, but get the following message when trying this command: > > > > # /sbin/ipfw add 1 deny all from 151.204.100.88:255.255.255.255 to any > > ipfw: getsockopt(IP_FW_ADD): Protocol not available > > > > > > freedom.domain.com login failures: > > Mar 2 11:38:33 freedom sshd[47912]: Failed none for illegal user test > > from 64.21.10.2 > > port 36747 ssh2 > > Mar 2 11:38:33 freedom sshd[47912]: Failed publickey for illegal user > > test from > > 64.21.10.2 port 36747 ssh2 > > Mar 2 11:38:34 freedom sshd[47912]: Failed keyboard-interactive for > > illegal user test > > from 64.21.10.2 port 36747 ssh2 > > Mar 2 11:38:34 freedom sshd[47912]: Failed password for illegal user > > test from > > 64.21.10.2 port 36747 ssh2 > > ipfw: getsockopt(blaaaaaah) > > Is your kernel configured for firewall work? Check LINT for options. > > As well you should be able to use tcpwrappers, look in > /etc/hosts.allow. You could add a deny for this 'persons' ip addy denying > him/her/it access to your sshd daemon. NOTE: It is 'normally not a good > idea' to do this, but if you don't want to rebuild with a firewall > configured kernel it will suffice. > > Hope this helps. > > R. > And the reason it's not a "good idea"? I've always assumed it was because you didn't want to be on vacation, at a friends house, or suddenly have your ISP switch subnets on you and lock you out of your box... Absolutely nothing wrong with denying the supposed "cracker's" IP; AAMOF, go over to ARIN or APNIC or such and ditch entire Class A nets that you'll never touch...I'll never be in SE Asia, for example... I use a dual strategy here. One machine only trusts a second; on the second box I deny the known bad guyz and let most others try... ...Needless to say, the really important stuff is on the first box... Kevin Kinsey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?03b901c2e273$2e51bba0$0100a8c0>