From owner-freebsd-questions@FreeBSD.ORG Wed Apr 6 13:59:22 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAE8016A4CE for ; Wed, 6 Apr 2005 13:59:22 +0000 (GMT) Received: from mail.gmx.net (pop.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 8D12D43D48 for ; Wed, 6 Apr 2005 13:59:21 +0000 (GMT) (envelope-from emanuel.strobl@gmx.net) Received: (qmail invoked by alias); 06 Apr 2005 13:59:18 -0000 Received: from flb.schmalzbauer.de (EHLO cale.flintsbach.schmalzbauer.de) [62.245.232.135] by mail.gmx.net (mp003) with SMTP; 06 Apr 2005 15:59:18 +0200 X-Authenticated: #301138 From: Emanuel Strobl To: freebsd-questions@freebsd.org Date: Wed, 6 Apr 2005 15:58:55 +0200 User-Agent: KMail/1.7.2 References: <36f5bbba050406001514562df7@mail.gmail.com> <4253B4CE.6070504@locolomo.org> In-Reply-To: <4253B4CE.6070504@locolomo.org> X-Birthday: 10/06/72 X-CelPhone: +49 173 9967781 X-Tel: +49 89 18947781 X-Country: Germany X-Address: Munich, 80686 X-OS: FreeBSD MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4336981.YMkWjLiIfv"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200504061559.04397@harrymail> X-Y-GMX-Trusted: 0 cc: "Edwin D. Vinas" Subject: Re: too many illegal connection attempts through ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 13:59:23 -0000 --nextPart4336981.YMkWjLiIfv Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Am Mittwoch, 6. April 2005 12:07 schrieb Erik N=F8rgaard: > Edwin D. Vinas wrote: > > shown below is snapshot of too many illegal attempts to login to my > > server from a suspicious hacker. this is taken from the > > "/var/log/auth.log". my question is, how do i automatically block an > > IP address if it is attempting to guess my login usernames? can i > > configure the firewall to check the instances a certain IP has > > attempted to access/ssh the sevrer, and if it has failed to login for > > about "x" number of attempts, it will be blocked automatically? > > This question is asked on the list ever so often - see the archives for > suggestions. These are automated attacks, they come regularly as > crackers, black hats or script kidies scan across the net. Does anybody know what robots beeing used? And on what systems? All you=20 mention later in your posting is true of course and I needn't care about=20 these logs, but it's like like somebody unknown puts 10 flyers in your=20 letterbox every night. I'm sure, one night you'll hide and build a trap for= =20 that person. I'm too lazy to enter those net-circles for finding these=20 robots, but maybe some other has already done that? =2DHarry > > You can avoid the automated scanning by chaning port, but this won't > stop the determined cracker - he will scan all your ports and identify > which services are running on which ports. > > Ask yourself a few questions: > > * Do you need to allow ssh from anywhere? If not, restrict to the > relevant ip blocks. > > * Do you need to allow password based authentication? If not, disable it > and use only ssh keys, in sshd_config: > > PasswordAuthentication no > PubkeyAuthentication yes > > * Do all users need to have ssh access? If not, restrict to specific > groups of users, in sshd_config, eg: > > AllowGroups staff > > * Is it a problem appart from the log messages? Trying to login with a > nonexistent username is usually not a problem. > > Other tips: Disable ssh1, reduce the number of simultaneous non-authen- > ticated connections, set timeouts etc. > > Cheers, Erik --nextPart4336981.YMkWjLiIfv Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCU+soBylq0S4AzzwRAi4FAJ0aUw/EhRjY1g0mJpQMqfUg4aV9mgCfTc0Z 22S2qUrgjlyCDKSAzFMJBbs= =NyNb -----END PGP SIGNATURE----- --nextPart4336981.YMkWjLiIfv--