From owner-freebsd-questions@FreeBSD.ORG Wed Apr 6 07:34:26 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F035216A4CE for ; Wed, 6 Apr 2005 07:34:26 +0000 (GMT) Received: from web54005.mail.yahoo.com (web54005.mail.yahoo.com [206.190.36.229]) by mx1.FreeBSD.org (Postfix) with SMTP id 60EFC43D45 for ; Wed, 6 Apr 2005 07:34:26 +0000 (GMT) (envelope-from spamrefuse@yahoo.com) Received: (qmail 44630 invoked by uid 60001); 6 Apr 2005 07:34:25 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=w+9Go1crvyY75NaECKs/4xy0AbHRkPgc1fZYecn6ZD+QAhs2DYJf+BjfiysiHl7S3SiLnRPWUSUzeOuplSkk6q8a1XuBwk7h2BDYjux5jJhbVGdsSRoLJxOn6bUP0jAmlLe4yfESQsxVcAwKPG2sJPbJTWZqdgRGzZU7KAgtl1M= ; Message-ID: <20050406073425.44628.qmail@web54005.mail.yahoo.com> Received: from [147.46.44.181] by web54005.mail.yahoo.com via HTTP; Wed, 06 Apr 2005 00:34:25 PDT Date: Wed, 6 Apr 2005 00:34:25 -0700 (PDT) From: Rob To: FreeBSD questions MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: xmisoy@gmail.com Subject: Re: too many illegal connection attempts through ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 07:34:27 -0000 Edwin D. Vinas wrote: > hello, > > shown below is snapshot of too many illegal > attempts to login to my server from a suspicious > hacker. this is taken from the "/var/log/auth.log". > my question is, how do i automatically block an > IP address if it is attempting to guess my login > usernames? can i configure the firewall to check > the instances a certain IP has My solution is not full proof, but appears to be good enough to stop these bulk attacks on my server. I use a combination of firewall & alternative sshd port. For example, in /etc/rc.conf, I have: sshd_enable="YES" sshd_flags="-p 22 -p 1234" (choose 1234 whatever alternative port number you prefer) Then add two tcp rules to your firewall: ipfw add allow log tcp from 55.44.33.22/11 to \ ${oip} ssh in via ${oif} setup ipfw add allow log tcp from any to ${oip} 1234 \ in via ${oif} setup where "55.44.33.22/11" represents your, more or less, trusted nearby network, ${oip} your outbound IP and ${oif} your outbound interface (e.g. rl0). I suppose you're familiar enough with firewall rules. These firewall rules allow 'regular' ssh connections only from within your nearby network; all other parties must connect over the alternative port number, 1234 in this example. Regards, Rob. __________________________________ Do you Yahoo!? Yahoo! Sports - Sign up for Fantasy Baseball. http://baseball.fantasysports.yahoo.com/