Date: Mon, 10 Jan 2005 22:23:10 -0700 From: Tom Vilot <tom@vilot.com> To: Gene <listmail@Bomgardner.net> Cc: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org> Subject: Re: High levels of breakin attempts Message-ID: <41E362BE.3070507@vilot.com> In-Reply-To: <41E36115.6050003@Bomgardner.net> References: <41E36115.6050003@Bomgardner.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Gene wrote: > Over the past few months there have been a remarkably high level of > brute force attacks logged by sshd. I was wondering, is there a way > that sshd (or some other package) can monitor login attempts and if > more than say 5 or 6 attempts are made to login from a particular ip > address, temporarily block that address (perhaps at the firewall)? > It'd be real satisfying to just dump the attackers' packets to the bit > bucket and slow 'em down a bit. yeah, I have experienced exactly the same thing. I think I may write a simple daemon perl script that watches the tail of auth.log for some of this crap and installs firewalls ad-hoc. Here's a (very, very small) dump from /var/log/auth.og Jan 8 06:11:22 fusion sshd[43967]: Failed password for root from 64.246.44.130 port 54213 ssh2 Jan 8 06:11:22 fusion sshd[43969]: Failed password for root from 64.246.44.130 port 54219 ssh2 Jan 8 06:11:22 fusion sshd[43971]: Illegal user webmaster from 64.246.44.130 Jan 8 06:11:22 fusion sshd[43973]: Illegal user data from 64.246.44.130 Jan 8 06:11:23 fusion sshd[43975]: Illegal user user from 64.246.44.130 Jan 8 06:11:23 fusion sshd[43977]: Illegal user user from 64.246.44.130 Jan 8 06:11:23 fusion sshd[43979]: Illegal user user from 64.246.44.130 Jan 8 06:11:23 fusion sshd[43981]: Illegal user web from 64.246.44.130 Jan 8 06:11:24 fusion sshd[43983]: Illegal user web from 64.246.44.130 Jan 8 06:11:24 fusion sshd[43985]: Illegal user oracle from 64.246.44.130 Jan 8 06:11:24 fusion sshd[43987]: Illegal user sybase from 64.246.44.130 Jan 8 06:11:24 fusion sshd[43989]: Illegal user master from 64.246.44.130 Jan 8 06:11:25 fusion sshd[43991]: Illegal user account from 64.246.44.130 Jan 8 06:11:25 fusion sshd[43993]: Illegal user backup from 64.246.44.130 Jan 8 06:11:25 fusion sshd[43995]: Illegal user server from 64.246.44.130 Jan 8 06:11:25 fusion sshd[43998]: Illegal user adam from 64.246.44.130 Jan 8 06:11:26 fusion sshd[44000]: Illegal user alan from 64.246.44.130 Jan 8 06:11:26 fusion sshd[44002]: Illegal user frank from 64.246.44.130 Jan 8 06:11:26 fusion sshd[44004]: Illegal user george from 64.246.44.130 Jan 8 06:11:26 fusion sshd[44006]: Illegal user henry from 64.246.44.130 Jan 8 06:11:26 fusion sshd[44008]: Failed password for john from 64.246.44.130 port 54348 ssh2 Interestingly, 64.246.44.130 is within the IP range of ev1servers.net which is where my BSD machine is located. ..... FUCKERS. :(
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41E362BE.3070507>