From owner-freebsd-questions@FreeBSD.ORG Wed Apr 13 21:55:27 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB17B16A4CE for ; Wed, 13 Apr 2005 21:55:27 +0000 (GMT) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99ED143D54 for ; Wed, 13 Apr 2005 21:55:26 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.34 using asmtp helo=hexren.steenbuck.net) id 1DLppV-0004fN-AK; Wed, 13 Apr 2005 23:55:25 +0200 Date: Wed, 13 Apr 2005 23:55:24 +0200 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <19221994686.20050413235524@hexren.net> To: Benjamin Rossen In-Reply-To: <200504132347.49133.b.rossen@onsnet.nu> References: <36f5bbba050406001514562df7@mail.gmail.com> <1113425167.91701.14.camel@red.nativenerds.com> <200504132347.49133.b.rossen@onsnet.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re[2]: too many illegal connection attempts through ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Hexren List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Apr 2005 21:55:27 -0000 > On Wed, 2005-04-06 at 07:15 +0000, Edwin D. Vinas wrote: >> hello, >> >> shown below is snapshot of too many illegal attempts to login to my >> server from a suspicious hacker. this is taken from the >> "/var/log/auth.log". my question is, how do i automatically block an >> IP address if it is attempting to guess my login usernames? can i >> configure the firewall to check the instances a certain IP has >> attempted to access/ssh the sevrer, and if it has failed to login for >> about "x" number of attempts, it will be blocked automatically? >> >> thank you in advance! >> >> -edwin >> >> ---------------- >> Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over ...etc. > This is one of those things we all have to live with. > I once had the idea to start an Open Source Project for making an > administrators' tool that would work as follows. The tool would collect these > records and send the information to a central server. I would be willing to > donate and administer that server. The server would then track where these > attacks are coming from. If it becomes apparent that the attacks are coming > from a lone idiot doing one or two amateurish crack attempts, nothing further > need be done. On the other hand, if it becomes apparent that the source is > making repeated attacks on many machines, then a co-ordinate message would go > out to all administrators using the tool. This could be automated. We could > hope that many tens of thousands of BSD administrators would be using this > tool (on many hundreds of thousands of BSD machines). All the machines > administered by users of this tool would then launch a concerted Denial Of > Service attack on the cracker address. > Now, how about that? > Of course, we could also try to do this nicely; for example, we could send > automated notifications to the ISPs servicing the offending machines, or to > ICANN, or to the police and other authorities in the countries where this > kind of behavior is illegal, and so on. However, that would certainly be > quite ineffective, and much less fun. > Or we could combine these strategies. We could notify the ISPs that the > attacks are coming from one of their clients, informing them that a Tsunami > DOS shall follow if they do not put a stop to the attacks. > Just an idea... > Benjamin Rossen --------------------------------------------- Sounds fun but opens the door for every local user with ssh access to DOS the machine he is on. I am not that found of the idea.