From owner-freebsd-questions@FreeBSD.ORG Wed Apr 13 21:48:07 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C06E116A4CE for ; Wed, 13 Apr 2005 21:48:07 +0000 (GMT) Received: from ipact2.infopact.nl (x71.infopact.nl [212.29.160.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D2EE43D5A for ; Wed, 13 Apr 2005 21:48:06 +0000 (GMT) (envelope-from b.rossen@onsnet.nu) Received: from [192.168.1.100] (32-11-ftth.onsnet.nu [84.35.11.32]) by ipact2.infopact.nl (8.12.10/8.12.10) with ESMTP id j3DLm46A015365 for ; Wed, 13 Apr 2005 23:48:04 +0200 From: Benjamin Rossen Organization: GearSticker Corporation To: freebsd-questions@freebsd.org Date: Wed, 13 Apr 2005 23:47:49 +0200 User-Agent: KMail/1.7.1 References: <36f5bbba050406001514562df7@mail.gmail.com> <1113425167.91701.14.camel@red.nativenerds.com> In-Reply-To: <1113425167.91701.14.camel@red.nativenerds.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200504132347.49133.b.rossen@onsnet.nu> X-Scanned-By: MIMEDefang - SpamAssassin Subject: Re: too many illegal connection attempts through ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: b.rossen@onsnet.nu List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Apr 2005 21:48:07 -0000 On Wed, 2005-04-06 at 07:15 +0000, Edwin D. Vinas wrote: > hello, > > shown below is snapshot of too many illegal attempts to login to my > server from a suspicious hacker. this is taken from the > "/var/log/auth.log". my question is, how do i automatically block an > IP address if it is attempting to guess my login usernames? can i > configure the firewall to check the instances a certain IP has > attempted to access/ssh the sevrer, and if it has failed to login for > about "x" number of attempts, it will be blocked automatically? > > thank you in advance! > > -edwin > > ---------------- > Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over ...etc. This is one of those things we all have to live with. I once had the idea to start an Open Source Project for making an administrators' tool that would work as follows. The tool would collect these records and send the information to a central server. I would be willing to donate and administer that server. The server would then track where these attacks are coming from. If it becomes apparent that the attacks are coming from a lone idiot doing one or two amateurish crack attempts, nothing further need be done. On the other hand, if it becomes apparent that the source is making repeated attacks on many machines, then a co-ordinate message would go out to all administrators using the tool. This could be automated. We could hope that many tens of thousands of BSD administrators would be using this tool (on many hundreds of thousands of BSD machines). All the machines administered by users of this tool would then launch a concerted Denial Of Service attack on the cracker address. Now, how about that? Of course, we could also try to do this nicely; for example, we could send automated notifications to the ISPs servicing the offending machines, or to ICANN, or to the police and other authorities in the countries where this kind of behavior is illegal, and so on. However, that would certainly be quite ineffective, and much less fun. Or we could combine these strategies. We could notify the ISPs that the attacks are coming from one of their clients, informing them that a Tsunami DOS shall follow if they do not put a stop to the attacks. Just an idea... Benjamin Rossen