From owner-freebsd-questions@FreeBSD.ORG Thu Apr 26 14:35:13 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2E8AF16A400 for ; Thu, 26 Apr 2007 14:35:13 +0000 (UTC) (envelope-from hunteke@earlham.edu) Received: from sipala.earlham.edu (sipala.earlham.edu [159.28.1.75]) by mx1.freebsd.org (Postfix) with ESMTP id F054F13C487 for ; Thu, 26 Apr 2007 14:35:12 +0000 (UTC) (envelope-from hunteke@earlham.edu) Received: from [159.28.7.5] (ec454.lly.earlham.edu [159.28.7.5]) (authenticated bits=0) by sipala.earlham.edu (8.13.6/8.13.6) with ESMTP id l3QEZB9F012021 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 26 Apr 2007 10:35:12 -0400 (EDT) X-Authentication-Warning: sipala.earlham.edu: Host ec454.lly.earlham.edu [159.28.7.5] claimed to be [159.28.7.5] In-Reply-To: <20070426083438.52397267.wmoran@potentialtech.com> References: <23ed14b80704260325w3fc06647vb114cd411625e16b@mail.gmail.com> <20070426083438.52397267.wmoran@potentialtech.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: quoted-printable From: Kevin Hunter Date: Thu, 26 Apr 2007 10:34:57 -0400 To: =?ISO-8859-1?Q?Andreas_Wider=F8e_Andersen?= X-Mailer: Apple Mail (2.752.3) Cc: FreeBSD Questions Subject: Re: How do I prevent unauthorized ssh login attempts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Apr 2007 14:35:13 -0000 At 8:34a -0400 on 26 Apr 2007, Bill Moran wrote: > In response to "Andreas Wider=F8e Andersen" : > >> I'm getting a lot of unauthorized ssh login attempts. I have a =20 >> pretty basic >> FreeBSD 6.2 setup. I have compiled my own kernel. Here's what I =20 >> get from my >> daily security run output: >> >> myserver.domain.com login failures: >> Apr 25 20:00:19 myserver sshd[57810]: Invalid user staff from =20 >> 65.171.74.26 >> [similar lines snipped] >> >> How can I stop these attempts or block them - or even recognize =20 >> them? I do >> not have IPF installed. > > One possibility: > http://www.potentialtech.com/cms/node/16 I'm a noob to *BSD, so I'm not sure if not having IPF installed means =20= you still have another firewall option. If you do, I'd say following =20= Bill's [sp]age advice is best for your system security overall. If you don't have a firewall, another option would be to disallow ssh =20= password logins. i.e. only allow login via public/private key =20 authentication. This is a server side option, so 'man sshd_config' =20 and look for the PasswordAuthentication option. You'll still get the =20= "Invalid user..." warning messages, but short of wasting your =20 bandwidth and (log) diskspace, they'll be useless cracker attempts. (And if you're looking for how to create public/private keys, 'man =20 ssh-keygen'.) In general, utilizing public/private keys for remote authentication =20 is /much/ more secure than passwords. HTH, Kevin=