From owner-freebsd-questions@FreeBSD.ORG Tue Jan 11 05:32:50 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4C8616A4CE for ; Tue, 11 Jan 2005 05:32:50 +0000 (GMT) Received: from wolf.bytecraft.au.com (wolf.bytecraft.au.com [203.39.118.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id C755143D1D for ; Tue, 11 Jan 2005 05:32:48 +0000 (GMT) (envelope-from MTaylor@bytecraft.com.au) Received: from localhost (localhost [127.0.0.1])j0B5WdjM039551; Tue, 11 Jan 2005 16:32:39 +1100 (EST) (envelope-from MTaylor@bytecraft.com.au) Received: from wolf.bytecraft.au.com ([127.0.0.1]) by localhost (wolf.bytecraft.au.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 39398-02; Tue, 11 Jan 2005 16:32:38 +1100 (EST) Received: from svmarshal.bytecraft.au.com ([10.0.0.4])j0B5WZwB039547; Tue, 11 Jan 2005 16:32:36 +1100 (EST) (envelope-from MTaylor@bytecraft.com.au) Received: from svmailmel.bytecraft.internal (Not Verified[10.0.0.24]) by svmarshal.bytecraft.au.com with MailMarshal (v5,0,3,78) id ; Tue, 11 Jan 2005 16:32:35 +1100 Received: from LTTAYLORMNEW ([10.250.130.9]) by svmailmel.bytecraft.internal with Microsoft SMTPSVC(6.0.3790.211); Tue, 11 Jan 2005 16:32:35 +1100 From: "Murray Taylor" To: "'Tom Vilot'" , "'Gene'" Date: Tue, 11 Jan 2005 16:32:32 +1100 Organization: Bytecraft Systems Pty Ltd Message-ID: <002101c4f79e$f3233200$c82aa8c0@LTTAYLORMNEW> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Importance: Normal In-Reply-To: <41E362BE.3070507@vilot.com> X-OriginalArrivalTime: 11 Jan 2005 05:32:35.0447 (UTC) FILETIME=[F4A39070:01C4F79E] cc: "'freebsd-questions@FreeBSD. ORG'" Subject: RE: High levels of breakin attempts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: murraytaylor@bytecraftsystems.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 05:32:50 -0000 > Gene wrote: > > > Over the past few months there have been a remarkably high > level of > > brute force attacks logged by sshd. I was wondering, is there a way > > that sshd (or some other package) can monitor login attempts and if > > more than say 5 or 6 attempts are made to login from a > particular ip > > address, temporarily block that address (perhaps at the firewall)? > > It'd be real satisfying to just dump the attackers' packets > to the bit > > bucket and slow 'em down a bit. > > > yeah, I have experienced exactly the same thing. I think I > may write a > simple daemon perl script that watches the tail of auth.log > for some of > this crap and installs firewalls ad-hoc. > > Here's a (very, very small) dump from /var/log/auth.og > > Jan 8 06:11:22 fusion sshd[43967]: Failed password for root from > 64.246.44.130 port 54213 ssh2 > Jan 8 06:11:22 fusion sshd[43969]: Failed password for root from > 64.246.44.130 port 54219 ssh2 > Jan 8 06:11:22 fusion sshd[43971]: Illegal user webmaster from > 64.246.44.130 > Jan 8 06:11:22 fusion sshd[43973]: Illegal user data from > 64.246.44.130 > Jan 8 06:11:23 fusion sshd[43975]: Illegal user user from > 64.246.44.130 > Jan 8 06:11:23 fusion sshd[43977]: Illegal user user from > 64.246.44.130 > Jan 8 06:11:23 fusion sshd[43979]: Illegal user user from > 64.246.44.130 > Jan 8 06:11:23 fusion sshd[43981]: Illegal user web from > 64.246.44.130 > Jan 8 06:11:24 fusion sshd[43983]: Illegal user web from > 64.246.44.130 > Jan 8 06:11:24 fusion sshd[43985]: Illegal user oracle from > 64.246.44.130 > Jan 8 06:11:24 fusion sshd[43987]: Illegal user sybase from > 64.246.44.130 > Jan 8 06:11:24 fusion sshd[43989]: Illegal user master from > 64.246.44.130 > Jan 8 06:11:25 fusion sshd[43991]: Illegal user account from > 64.246.44.130 > Jan 8 06:11:25 fusion sshd[43993]: Illegal user backup from > 64.246.44.130 > Jan 8 06:11:25 fusion sshd[43995]: Illegal user server from > 64.246.44.130 > Jan 8 06:11:25 fusion sshd[43998]: Illegal user adam from > 64.246.44.130 > Jan 8 06:11:26 fusion sshd[44000]: Illegal user alan from > 64.246.44.130 > Jan 8 06:11:26 fusion sshd[44002]: Illegal user frank from > 64.246.44.130 > Jan 8 06:11:26 fusion sshd[44004]: Illegal user george from > 64.246.44.130 > Jan 8 06:11:26 fusion sshd[44006]: Illegal user henry from > 64.246.44.130 > Jan 8 06:11:26 fusion sshd[44008]: Failed password for john from > 64.246.44.130 port 54348 ssh2 > > Interestingly, 64.246.44.130 is within the IP range of ev1servers.net > which is where my BSD machine is located. > > ..... FUCKERS. > I havent checked forsure but could sysutils/ipa help. it can 'open/close' firewalls upon certain limit conditions... from the pkg_descr ------------------------------------------------------------------- ipa(8) allows to make IP accounting (network accounting) based on FreeBSD IPv4/v6 Firewall (including IPFW2), OpenBSD Packet Filter and IP Filter accounting rules on FreeBSD, NetBSD and OpenBSD. It supports limits for accounting rules and limits events as "limit is reached", "reached limit is expired", etc. It understands time intervals like "end of day", "end of week", "end of month", etc. ipastat(8) is a viewer for IP accounting database made by ipa(8). --------------------------------------------------------------------- maybe something that registers and shuts out the ungodly anf ipa then can follow along and reopen things later.... 0.02c maybe mjt --------------------------------------------------------------- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --------------------------------------------------------------- ***This Email has been scanned for Viruses by MailMarshal.***