From owner-freebsd-questions Tue Mar 4 9:28:18 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F14E337B40A for ; Tue, 4 Mar 2003 09:28:15 -0800 (PST) Received: from [204.213.64.2] (firewall.tiadon.com [204.213.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D35243FBF for ; Tue, 4 Mar 2003 09:28:14 -0800 (PST) (envelope-from kdk@daleco.biz) Received: from rmc.tiadon.com by [204.213.64.2] via smtpd (for mx1.freebsd.org [216.136.204.125]) with ESMTP; Tue, 4 Mar 2003 11:28:14 -0600 Received: from applications.tiadon.com (mail.tiadon.com [172.16.18.172]) by bcec01.tiadon.net with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id DKVJGQ5H; Tue, 4 Mar 2003 11:28:13 -0600 Received: from firewall.tiadon.com ([204.213.65.86]) by applications.tiadon.com with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 4 Mar 2003 11:27:59 -0600 Received: from [204.213.65.86] by firewall.tiadon.com via smtpd (for mail.tiadon.com [172.16.18.172]) with ESMTP; Tue, 4 Mar 2003 11:27:58 -0600 Message-ID: <03b901c2e273$2e51bba0$0100a8c0@DaleCoportable> Reply-To: "Kevin Kinsey, DaleCo, S.P." From: "Kevin Kinsey, DaleCo, S.P." To: "YOU" , "Phillip Smith (mailing list)" Cc: References: Subject: Re: hacking attempts? Date: Tue, 4 Mar 2003 11:26:20 -0600 Organization: DaleCo, S.P.---"the solutions people" MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG From: "YOU" To: "Phillip Smith (mailing list)" Cc: Sent: Tuesday, March 04, 2003 10:06 AM Subject: Re: hacking attempts? > On Tue, 4 Mar 2003, Phillip Smith (mailing list) wrote: > > > > > I found this in my logs and I'm wondering if this is a hacking attempt? > > Should I be concerned? > > > > Also, if/when I see these, I'd like to add them to a blocked list using > > /sbin/ipfw, but get the following message when trying this command: > > > > # /sbin/ipfw add 1 deny all from 151.204.100.88:255.255.255.255 to any > > ipfw: getsockopt(IP_FW_ADD): Protocol not available > > > > > > freedom.domain.com login failures: > > Mar 2 11:38:33 freedom sshd[47912]: Failed none for illegal user test > > from 64.21.10.2 > > port 36747 ssh2 > > Mar 2 11:38:33 freedom sshd[47912]: Failed publickey for illegal user > > test from > > 64.21.10.2 port 36747 ssh2 > > Mar 2 11:38:34 freedom sshd[47912]: Failed keyboard-interactive for > > illegal user test > > from 64.21.10.2 port 36747 ssh2 > > Mar 2 11:38:34 freedom sshd[47912]: Failed password for illegal user > > test from > > 64.21.10.2 port 36747 ssh2 > > ipfw: getsockopt(blaaaaaah) > > Is your kernel configured for firewall work? Check LINT for options. > > As well you should be able to use tcpwrappers, look in > /etc/hosts.allow. You could add a deny for this 'persons' ip addy denying > him/her/it access to your sshd daemon. NOTE: It is 'normally not a good > idea' to do this, but if you don't want to rebuild with a firewall > configured kernel it will suffice. > > Hope this helps. > > R. > And the reason it's not a "good idea"? I've always assumed it was because you didn't want to be on vacation, at a friends house, or suddenly have your ISP switch subnets on you and lock you out of your box... Absolutely nothing wrong with denying the supposed "cracker's" IP; AAMOF, go over to ARIN or APNIC or such and ditch entire Class A nets that you'll never touch...I'll never be in SE Asia, for example... I use a dual strategy here. One machine only trusts a second; on the second box I deny the known bad guyz and let most others try... ...Needless to say, the really important stuff is on the first box... Kevin Kinsey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message