From owner-freebsd-questions@FreeBSD.ORG Tue Jan 11 05:23:14 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74E0716A4CE for ; Tue, 11 Jan 2005 05:23:14 +0000 (GMT) Received: from fusion.vilot.net (vilot.com [64.246.32.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D33B43D48 for ; Tue, 11 Jan 2005 05:23:14 +0000 (GMT) (envelope-from tom@vilot.com) Received: from [192.168.1.105] (c-24-8-184-241.client.comcast.net [24.8.184.241]) (authenticated bits=0) by fusion.vilot.net (8.13.1/8.12.9) with ESMTP id j0B5K3iN057423; Mon, 10 Jan 2005 23:20:04 -0600 (CST) (envelope-from tom@vilot.com) Message-ID: <41E362BE.3070507@vilot.com> Date: Mon, 10 Jan 2005 22:23:10 -0700 From: Tom Vilot User-Agent: Mozilla Thunderbird 1.0 (X11/20041222) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gene References: <41E36115.6050003@Bomgardner.net> In-Reply-To: <41E36115.6050003@Bomgardner.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: High levels of breakin attempts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 05:23:14 -0000 Gene wrote: > Over the past few months there have been a remarkably high level of > brute force attacks logged by sshd. I was wondering, is there a way > that sshd (or some other package) can monitor login attempts and if > more than say 5 or 6 attempts are made to login from a particular ip > address, temporarily block that address (perhaps at the firewall)? > It'd be real satisfying to just dump the attackers' packets to the bit > bucket and slow 'em down a bit. yeah, I have experienced exactly the same thing. I think I may write a simple daemon perl script that watches the tail of auth.log for some of this crap and installs firewalls ad-hoc. Here's a (very, very small) dump from /var/log/auth.og Jan 8 06:11:22 fusion sshd[43967]: Failed password for root from 64.246.44.130 port 54213 ssh2 Jan 8 06:11:22 fusion sshd[43969]: Failed password for root from 64.246.44.130 port 54219 ssh2 Jan 8 06:11:22 fusion sshd[43971]: Illegal user webmaster from 64.246.44.130 Jan 8 06:11:22 fusion sshd[43973]: Illegal user data from 64.246.44.130 Jan 8 06:11:23 fusion sshd[43975]: Illegal user user from 64.246.44.130 Jan 8 06:11:23 fusion sshd[43977]: Illegal user user from 64.246.44.130 Jan 8 06:11:23 fusion sshd[43979]: Illegal user user from 64.246.44.130 Jan 8 06:11:23 fusion sshd[43981]: Illegal user web from 64.246.44.130 Jan 8 06:11:24 fusion sshd[43983]: Illegal user web from 64.246.44.130 Jan 8 06:11:24 fusion sshd[43985]: Illegal user oracle from 64.246.44.130 Jan 8 06:11:24 fusion sshd[43987]: Illegal user sybase from 64.246.44.130 Jan 8 06:11:24 fusion sshd[43989]: Illegal user master from 64.246.44.130 Jan 8 06:11:25 fusion sshd[43991]: Illegal user account from 64.246.44.130 Jan 8 06:11:25 fusion sshd[43993]: Illegal user backup from 64.246.44.130 Jan 8 06:11:25 fusion sshd[43995]: Illegal user server from 64.246.44.130 Jan 8 06:11:25 fusion sshd[43998]: Illegal user adam from 64.246.44.130 Jan 8 06:11:26 fusion sshd[44000]: Illegal user alan from 64.246.44.130 Jan 8 06:11:26 fusion sshd[44002]: Illegal user frank from 64.246.44.130 Jan 8 06:11:26 fusion sshd[44004]: Illegal user george from 64.246.44.130 Jan 8 06:11:26 fusion sshd[44006]: Illegal user henry from 64.246.44.130 Jan 8 06:11:26 fusion sshd[44008]: Failed password for john from 64.246.44.130 port 54348 ssh2 Interestingly, 64.246.44.130 is within the IP range of ev1servers.net which is where my BSD machine is located. ..... FUCKERS. :(