From owner-freebsd-questions@FreeBSD.ORG Wed Apr 13 21:20:27 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A72416A4CE for ; Wed, 13 Apr 2005 21:20:27 +0000 (GMT) Received: from mail.rulez.sk (DaEmoN.RuLeZ.sK [84.16.32.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A80E43D64 for ; Wed, 13 Apr 2005 21:20:26 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from localhost (localhost [127.0.0.1]) by mail.rulez.sk (Postfix) with ESMTP id 1D65845020; Wed, 13 Apr 2005 23:20:25 +0200 (CEST) Received: from danger.mcrn.sk (danger.mcrn.sk [84.16.37.254]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rulez.sk (Postfix) with ESMTP id 6BA004501F; Wed, 13 Apr 2005 23:20:20 +0200 (CEST) Date: Wed, 13 Apr 2005 23:16:05 +0200 From: Daniel Gerzo X-Priority: 3 (Normal) Message-ID: <482818047.20050413231605@rulez.sk> To: Ed Stover , questions@freebsd.org In-Reply-To: <1113425167.91701.14.camel@red.nativenerds.com> References: <36f5bbba050406001514562df7@mail.gmail.com> <1113425167.91701.14.camel@red.nativenerds.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mail.rulez.sk X-Spam-Status: No, hits=-4.578 tagged_above=-999 required=5 tests=ALL_TRUSTED, AWL, BAYES_00, PRIORITY_NO_NAME X-Spam-Level: Subject: Re[2]: too many illegal connection attempts through ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Daniel Gerzo List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Apr 2005 21:20:27 -0000 Hi Ed, Wednesday, April 13, 2005, 10:46:07 PM, you wrote these comments: > Forgive the top posting (long message) ;) > A quick way to make that crap go away is to run your ssh on a different > port. quick, simple, effective. I used to have those "brute force" > attacks every day and fill my logs and I would go in and create and > entry that that entire Netmask in the ipfw and hosts.allow files but > that got tedious real quick. Changing the port made my life easier. > ssh -p 99 -l yournamehere 192.168.1.10 or, if Edwin uses pf, he can use my bruteforceblocker.pl, which is daemonized process that checks for these login attempts and ads given IPs to the pf's table. it's located at: http://danger.rulez.sk/projects/bruteforceblocker/ PS: it seems like Edwin will have to little bit adjust the regexp in my script, since my regexp checks for Failed password attempts, but to do so is trivial thing... > On Wed, 2005-04-06 at 07:15 +0000, Edwin D. Vinas wrote: >> hello, >> >> shown below is snapshot of too many illegal attempts to login to my >> server from a suspicious hacker. this is taken from the >> "/var/log/auth.log". my question is, how do i automatically block an >> IP address if it is attempting to guess my login usernames? can i >> configure the firewall to check the instances a certain IP has >> attempted to access/ssh the sevrer, and if it has failed to login for >> about "x" number of attempts, it will be blocked automatically? >> >> thank you in advance! >> >> -edwin >> >> ---------------- >> Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over due to size>100K >> Mar 26 22:49:29 pawikan sshd[66637]: Illegal user test from 211.176.33.46 >> Mar 26 22:49:32 pawikan sshd[66639]: Illegal user guest from 211.176.33.46 >> Mar 26 22:49:35 pawikan sshd[66641]: Illegal user admin from 211.176.33.46 -- Best Regards, +----------==/\/\==----------+ (__) FreeBSD | DanGer | \\\'',) The | DanGer@IRCnet ICQ261701668 | \/ \ ^ Power | http://danger.rulez.sk | .\._/_) To +----------==\/\/==----------+ Serve [ Oh, what is it now? Can't you leave me in Peace? - Basil Fawlty ]