From owner-freebsd-questions@FreeBSD.ORG  Thu Apr 26 10:36:07 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 17B3B16A400
	for <freebsd-questions@freebsd.org>;
	Thu, 26 Apr 2007 10:36:07 +0000 (UTC)
	(envelope-from beech@alaskaparadise.com)
Received: from stargate.alaskaparadise.com (7-137-58-66.gci.net [66.58.137.7])
	by mx1.freebsd.org (Postfix) with ESMTP id 49C0913C45E
	for <freebsd-questions@freebsd.org>;
	Thu, 26 Apr 2007 10:36:06 +0000 (UTC)
	(envelope-from beech@alaskaparadise.com)
Received: from localhost (localhost [127.0.0.1])
	by stargate.alaskaparadise.com (Postfix) with ESMTP id BE77A7DC7;
	Thu, 26 Apr 2007 02:36:05 -0800 (AKDT)
From: Beech Rintoul <beech@alaskaparadise.com>
Organization: FreeBSD Port Maintainer
To: freebsd-questions@freebsd.org
Date: Thu, 26 Apr 2007 02:36:00 -0800
User-Agent: KMail/1.9.6
References: <23ed14b80704260325w3fc06647vb114cd411625e16b@mail.gmail.com>
In-Reply-To: <23ed14b80704260325w3fc06647vb114cd411625e16b@mail.gmail.com>
X-Face: jC2w\k*Q1\0DA2Q0Eh&B<LgSCl"Ia}yHjNtfO-rv-8f~/$lBP#.]lp7`}"=?utf-8?q?x5C=3B=5DQ+=23VWyr=0A=09r=60L4ur=26=7Ewh=7Eg=27z+udoy=3Ft?=>rP/Rt2M,^2O#R07VoT98m*>miQF9%Bi9vy`F6cPjwEe?m,)=?utf-8?q?2=0A=09X=3FM=5C=3AOE9QgZ?="xT3/n3,3MJ7N=Cfkmi%f(w^~X"SUxn>;
	27NO;
	C+)g[7J`$G*SN>{<=?utf-8?q?O=3Bg7=7C=0A=09o=7D=265A=5D4?=@7D`=Eb@Zs1Ln814?]|k@'bG=.Ca"[|8+_.OsNAo8!#?4u
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-Id: <200704260236.02847.beech@alaskaparadise.com>
Cc: Andreas =?iso-8859-1?q?Wider=F8e?= Andersen <wodfer@gmail.com>
Subject: Re: How do I prevent unauthorized ssh login attempts?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: beech@alaskaparadise.com
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Apr 2007 10:36:07 -0000

On Thursday 26 April 2007, Andreas Wider=F8e Andersen said:
> I'm getting a lot of unauthorized ssh login attempts. I have a
> pretty basic FreeBSD 6.2 setup. I have compiled my own kernel.
> Here's what I get from my daily security run output:
>
> myserver.domain.com login failures:
> Apr 25 20:00:19 myserver sshd[57810]: Invalid user staff from
> 65.171.74.26 Apr 25 20:00:22 myserver sshd[57812]: Invalid user
> sales from 65.171.74.26 Apr 25 20:00:24 myserver sshd[57814]:
> Invalid user recruit from 65.171.74.26 Apr 25 20:00:26 myserver
> sshd[57816]: Invalid user alias from 65.171.74.26 Apr 25 20:00:28
> myserver sshd[57818]: Invalid user office from 65.171.74.26 Apr 25
> 20:00:30 myserver sshd[57820]: Invalid user samba from 65.171.74.26
> Apr 25 20:00:32 myserver sshd[57822]: Invalid user tomcat from
> 65.171.74.26 Apr 25 20:00:34 myserver sshd[57824]: Invalid user
> webadmin from 65.171.74.26
> Apr 25 20:00:36 myserver sshd[57826]: Invalid user spam from
> 65.171.74.26 Apr 25 20:00:38 myserver sshd[57828]: Invalid user
> virus from 65.171.74.26 Apr 25 20:00:41 myserver sshd[57830]:
> Invalid user cyrus from 65.171.74.26 Apr 25 20:00:43 myserver
> sshd[57832]: Invalid user oracle from 65.171.74.26 Apr 25 20:00:45
> myserver sshd[57834]: Invalid user michael from 65.171.74.26 Apr 25
> 20:00:47 myserver sshd[57836]: Invalid user ftp from 65.171.74.26
> Apr 25 20:00:49 myserver sshd[57838]: Invalid user test from
> 65.171.74.26 Apr 25 20:00:51 myserver sshd[57840]: Invalid user
> webmaster from 65.171.74.26
> Apr 25 20:00:53 myserver sshd[57842]: Invalid user postmaster from
> 65.171.74.26
> Apr 25 20:00:56 myserver sshd[57844]: Invalid user postfix from
> 65.171.74.26 Apr 25 20:00:57 myserver sshd[57846]: Invalid user
> postgres from 65.171.74.26
> Apr 25 20:00:59 myserver sshd[57848]: Invalid user paul from
> 65.171.74.26 Apr 25 20:01:04 myserver sshd[57852]: Invalid user
> guest from 65.171.74.26 Apr 25 20:01:06 myserver sshd[57854]:
> Invalid user admin from 65.171.74.26 Apr 25 20:01:08 myserver
> sshd[57856]: Invalid user linux from 65.171.74.26 Apr 25 20:01:11
> myserver sshd[57858]: Invalid user user from 65.171.74.26 Apr 25
> 20:01:13 myserver sshd[57860]: Invalid user david from 65.171.74.26
>
> How can I stop these attempts or block them - or even recognize
> them? I do not have IPF installed.
>
> Thanks for your help.
>
> Best regards,
> Andreas

Check out denyhosts, it's in the tree. It works well for me and is=20
easy to set up.

Beech


=2D-=20
=2D------------------------------------------------------------------------=
=2D-------------
Beech Rintoul - Port Maintainer - beech@alaskaparadise.com
/"\   ASCII Ribbon Campaign  | FreeBSD Since 4.x
\ / - NO HTML/RTF in e-mail   | http://www.freebsd.org
 X  - NO Word docs in e-mail | Latest Release:
/ \  - http://www.freebsd.org/releases/6.2R/announce.html
=2D------------------------------------------------------------------------=
=2D-------------