From owner-freebsd-questions@FreeBSD.ORG  Thu Aug 25 03:23:18 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9FFEA16A41F
	for <freebsd-questions@freebsd.org>;
	Thu, 25 Aug 2005 03:23:18 +0000 (GMT) (envelope-from chris@aebc.com)
Received: from imail.aebc.com (dns1.aebc.com [209.53.200.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F41DC43D48
	for <freebsd-questions@freebsd.org>;
	Thu, 25 Aug 2005 03:23:17 +0000 (GMT) (envelope-from chris@aebc.com)
Received: from aebc.com [209.139.247.233] by imail.aebc.com with ESMTP
	(SMTPD32-7.15) id A9BFA5C014E; Wed, 24 Aug 2005 20:23:43 -0700
Received: from chris [209.53.197.59] by aebc.com with ESMTP
	(SMTPD32-7.15) id AA4B13D0029E; Wed, 24 Aug 2005 11:19:55 -0700
From: "Chris St Denis" <chris@aebc.com>
To: "'Pat Maddox'" <pergesu@gmail.com>,
	"'FreeBSD Questions'" <freebsd-questions@freebsd.org>
Date: Wed, 24 Aug 2005 11:18:50 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
In-Reply-To: <810a540e0508232127737d91fb@mail.gmail.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
Thread-Index: AcWoZF9cR8cB9nmTQr+5T7c/Hl8LAgAc7wIQ
Message-Id: <200508241119671.SM00756@chris>
X-RBL-Warning: NOPOSTMASTER: "Not supporting postmaster@aebc.com"
X-RBL-Warning: IPNOTINMX: 
X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam
	[4000020e].
X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.
X-Declude-Sender: chris@aebc.com [209.53.197.59]
X-Declude-Spoolname: Dba4b13d0029edd67.SMD
X-Note: Email was scanned by AE's anti-spam system in MX2 server.
X-Note: This E-mail was sent from zz197059.cipherkey.net ([209.53.197.59]).
X-Note: Total spam weight of this E-mail is 3.
X-Spam-Tests-Failed: NOPOSTMASTER [1], IPNOTINMX [0], SPAMHEADERS [0],
	CMDSPACE [5]
Cc: 
Subject: RE: Illegal access attempt - FreeBSD 5.4 Release - please advise
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2005 03:23:18 -0000

How can I easily auto deny after x failed attempts? Is this an sshd setting?
I could find it.

Is there something in ports that will firewall off somebody who is brute
forcing?

-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Pat Maddox
Sent: Tuesday, August 23, 2005 9:27 PM
To: FreeBSD Questions
Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - please advise

It's not that big of a deal...they didn't get in or anything.  If
you've got a server that's always connected to the internet, you'll
see people trying to break in all the time.  The more popular your
server, the more frequent the attempts.  This is just someone trying
to log in via SSH - so as long as you have good passwords on all your
accounts, and disable remote root login, you're fine.

You may consider denying access after X failed login attempts.


On 8/23/05, ro ro <ricking505@yahoo.com> wrote:
> Hi All,
> 
> I was browsing through my log files and noticed that
> someone (or many people) is trying to gain illegal
> access to my server (see snippet from log files
> below).
> 
> The below log file clearly indicates someone trying to
> hackaway at my personal server.
> 
> I performed the following steps:
> 
> nmap -v  210.0.142.153
> 
> and noticed that this person/institution had port 80
> and 21 open.
> 
> I visited their website and it appears to be someone
> from hongkong.
> http://www.chkpcc.edu.hk/
> 
> HERE IS THEIR CONTACT INFORMATION AS IT APPEARS ON
> THEIR WEBSITE
> -------------------------------------------------------------
> Confucian Ho Kwok Pui Chun College 孔 教
> 學 院 何 郭 佩 珍
> 中 學
> Address 地址： Fu Shin Est., Taipo,
> N.T., HKSAR
> 香港新界大埔富善村
> Tel 電話： 852-2666-5926
> Fax 傳真： 852-2660-7988
> E-mail 電郵： info@chkpcc.edu.hk
> -------------------------------------------------------------
> 
> 
> When I saw the logs for the first time. I took the
> following steps:
> 1) AllowUsers in sshd contained only users that I
> wanted to have access to my ssh
> 2) Created a decent rulest within ipfw that permitted
> incoming access to only two ports ssh and http
> 
> I took the issue of creating a good firewall quite
> lightly and now I regret that decision.. now I have
> learnt... Can someone provide me with guidance on this
> issue and advise me on next steps to take action
> against such losers.
> 
> Thanks
> RV
> 
> Aug 23 08:19:03 free sshd[22519]: Illegal user lp from
> 210.0.142.153
> Aug 23 08:19:06 free sshd[22521]: Illegal user admin
> from 210.0.142.153
> Aug 23 08:19:08 free sshd[22523]: Illegal user admin
> from 210.0.142.153
> Aug 23 08:19:10 free sshd[22525]: Illegal user admin
> from 210.0.142.153
> Aug 23 08:19:12 free sshd[22527]: Illegal user admin
> from 210.0.142.153
> Aug 23 08:19:15 free sshd[22529]: Illegal user admin
> from 210.0.142.153
> Aug 23 08:19:17 free sshd[22531]: Illegal user admin
> from 210.0.142.153
> Aug 23 08:19:19 free sshd[22533]: Illegal user admin
> from 210.0.142.153
> Aug 23 08:19:22 free sshd[22535]: User root not
> allowed because not listed in AllowUsers
> Aug 23 08:19:24 free sshd[22537]: User root not
> allowed because not listed in AllowUsers
> Aug 23 08:19:27 free sshd[22539]: User root not
> allowed because not listed in AllowUsers
> Aug 23 08:19:29 free sshd[22541]: User root not
> allowed because not listed in AllowUsers
> Aug 23 08:19:33 free sshd[22543]: User root not
> allowed because not listed in AllowUsers
> Aug 23 08:19:35 free sshd[22545]: User root not
> allowed because not listed in AllowUsers
> Aug 23 08:19:37 free sshd[22547]: Illegal user apache
> from 210.0.142.153
> Aug 23 08:19:40 free sshd[22549]: Illegal user dan
> from 210.0.142.153
> Aug 23 08:19:42 free sshd[22551]: Illegal user electra
> from 210.0.142.153
> Aug 23 08:19:44 free sshd[22553]: Illegal user student
> from 210.0.142.153
> Aug 23 08:19:47 free sshd[22555]: Illegal user school
> from 210.0.142.153
> Aug 23 08:19:49 free sshd[22557]: User mysql not
> allowed because not listed in AllowUsers
> 
> 
> Aug 11 20:16:10 free sshd[21585]: Illegal user test
> from 210.245.197.16
> Aug 11 20:16:12 free sshd[21587]: Illegal user guest
> from 210.245.197.16
> Aug 11 20:16:14 free sshd[21589]: Illegal user admin
> from 210.245.197.16
> Aug 11 20:16:16 free sshd[21591]: Illegal user admin
> from 210.245.197.16
> Aug 11 20:16:23 free sshd[21593]: Illegal user user
> from 210.245.197.16
> Aug 11 20:16:32 free sshd[21601]: Illegal user test
> from 210.245.197.16
> 
> Aug 14 03:39:21 free sshd[32377]: Illegal user 1 from
> 61.145.222.10
> Aug 14 03:39:26 free sshd[32379]: Illegal user a from
> 61.145.222.10
> Aug 14 03:39:31 free sshd[32381]: Illegal user a from
> 61.145.222.10
> Aug 14 03:39:38 free sshd[32383]: Illegal user abuse
> from 61.145.222.10
> Aug 14 10:47:49 free sshd[33623]: Illegal user admin
> from 64.222.146.197
> Aug 14 10:47:51 free sshd[33625]: Illegal user
> administrator from 64.222.146.197
> Aug 14 10:47:52 free sshd[33627]: Illegal user jack
> from 64.222.146.197
> Aug 14 10:47:53 free sshd[33629]: Illegal user marvin
> from 64.222.146.197
> Aug 14 10:47:58 free sshd[33631]: Illegal user andres
> from 64.222.146.197
> Aug 14 10:47:59 free sshd[33633]: Illegal user barbara
> from 64.222.146.197
> Aug 14 10:48:01 free sshd[33635]: Illegal user adine
> from 64.222.146.197
> Aug 14 10:48:02 free sshd[33637]: Illegal user test
> from 64.222.146.197
> Aug 14 10:48:04 free sshd[33639]: Illegal user guest
> from 64.222.146.197
> Aug 14 10:48:07 free sshd[33641]: Illegal user db from
> 64.222.146.197
> 
> Aug 23 08:18:40 free sshd[22499]: Illegal user demo
> from 210.0.142.153
> Aug 23 08:18:43 free sshd[22501]: Illegal user
> postgres from 210.0.142.153
> Aug 23 08:18:45 free sshd[22503]: Illegal user
> postmaster from 210.0.142.153
> Aug 23 08:18:47 free sshd[22505]: Illegal user
> postgres from 210.0.142.153
> Aug 23 08:18:49 free sshd[22507]: Illegal user
> postgres from 210.0.142.153
> Aug 23 08:18:52 free sshd[22509]: Illegal user ftp
> from 210.0.142.153
> Aug 23 08:18:54 free sshd[22511]: User news not
> allowed because not listed in AllowUsers
> Aug 23 08:18:56 free sshd[22513]: Illegal user demo
> from 210.0.142.153
> Aug 23 08:18:58 free sshd[22515]: Illegal user
> demouser from 210.0.142.153
> Aug 23 08:19:01 free sshd[22517]: User sshd not
> allowed because not listed in AllowUsers
> 
> 
> 
> 
> 
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"
>