From owner-freebsd-questions@FreeBSD.ORG Wed Apr 6 10:07:27 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C655E16A4CE for ; Wed, 6 Apr 2005 10:07:27 +0000 (GMT) Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es [62.174.254.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 563E143D49 for ; Wed, 6 Apr 2005 10:07:26 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [IPv6???1] (localhost.daemonsecurity.com [127.0.0.1]) by top.daemonsecurity.com (Postfix) with ESMTP id AA1A8FE642; Wed, 6 Apr 2005 12:07:21 +0200 (CEST) Message-ID: <4253B4CE.6070504@locolomo.org> Date: Wed, 06 Apr 2005 12:07:10 +0200 From: =?ISO-8859-1?Q?Erik_N=F8rgaard?= Organization: Locolomo.ORG User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050314 X-Accept-Language: en, en-us, en-gb, da, fr, de, it, es MIME-Version: 1.0 To: "Edwin D. Vinas" References: <36f5bbba050406001514562df7@mail.gmail.com> In-Reply-To: <36f5bbba050406001514562df7@mail.gmail.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: too many illegal connection attempts through ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 10:07:27 -0000 Edwin D. Vinas wrote: > shown below is snapshot of too many illegal attempts to login to my > server from a suspicious hacker. this is taken from the > "/var/log/auth.log". my question is, how do i automatically block an > IP address if it is attempting to guess my login usernames? can i > configure the firewall to check the instances a certain IP has > attempted to access/ssh the sevrer, and if it has failed to login for > about "x" number of attempts, it will be blocked automatically? This question is asked on the list ever so often - see the archives for suggestions. These are automated attacks, they come regularly as crackers, black hats or script kidies scan across the net. You can avoid the automated scanning by chaning port, but this won't stop the determined cracker - he will scan all your ports and identify which services are running on which ports. Ask yourself a few questions: * Do you need to allow ssh from anywhere? If not, restrict to the relevant ip blocks. * Do you need to allow password based authentication? If not, disable it and use only ssh keys, in sshd_config: PasswordAuthentication no PubkeyAuthentication yes * Do all users need to have ssh access? If not, restrict to specific groups of users, in sshd_config, eg: AllowGroups staff * Is it a problem appart from the log messages? Trying to login with a nonexistent username is usually not a problem. Other tips: Disable ssh1, reduce the number of simultaneous non-authen- ticated connections, set timeouts etc. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2