From owner-freebsd-questions@FreeBSD.ORG Sat Nov 15 08:07:17 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCF481065689 for ; Sat, 15 Nov 2008 08:07:17 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.225]) by mx1.freebsd.org (Postfix) with ESMTP id 9DAF28FC17 for ; Sat, 15 Nov 2008 08:07:17 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so1632284rvf.43 for ; Sat, 15 Nov 2008 00:07:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=FKOjRIde3rpz5vhFMxJBLuJJha/tBhGJdUUDneA35Xg=; b=Eq8ulBRPExoTnXMUMux5FRdO41OZ6qgcu+yTjdWkj2VJd9JeQisrKK30y1BJQTD2pX 0V4Bs4XBBd68bLSUWpT3oeTtUH151AL7vbJMCAt2KF4KsmJ1/uWjGZpYgKtV/aGntiLX jeCbx9vs8Zuu+3WI65ToYt6Ptbi5L6dyNoS9A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=JkqLkC+B6NbcesYKsUpQ3nW2x894Qx8zo7iMv58FoY3JwIo5p6Z2VaLPw+moKa5zS8 g63QsxgguVabHWRTAPmUffSYK3aFhYv6/YltUfcWpAFzv04J9on7KT0TpI4BJ5YXvXVQ znNTaXa33vJx+lPDsxbxxQxYseN/YXBGY8aTY= Received: by 10.142.144.16 with SMTP id r16mr820335wfd.224.1226736437341; Sat, 15 Nov 2008 00:07:17 -0800 (PST) Received: by 10.142.126.4 with HTTP; Sat, 15 Nov 2008 00:07:17 -0800 (PST) Message-ID: <139b44430811150007l2aebe05dvd56e9f60f18cbe21@mail.gmail.com> Date: Sat, 15 Nov 2008 10:07:17 +0200 From: "Valentin Bud" To: "Lisa Casey" In-Reply-To: <20081114215444.C8966@mail.jellico.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <692726B5-52B5-46AC-9C79-41553179AF36@comcast.net> <20081114215444.C8966@mail.jellico.com> Cc: freebsd-questions@freebsd.org Subject: Re: Question about entry in auth.log X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2008 08:07:17 -0000 Hello, I personally use key authentication along with DenyUsers and AllowUsers directives from sshd. One more thing i do regarding ssh brute force is to make use of the max-src-conn and max-src-conn-rate from pf firewall. My auth logs look like: Nov 14 11:15:36 xxx sshd[3570]: User root from 211.55.48.179 not allowed because not listed in AllowUsers Nov 14 11:15:38 xxx sshd[3572]: Invalid user admin from 211.55.48.179 Nov 14 11:15:41 xxx sshd[3574]: Invalid user test from 211.55.48.179 Nov 14 11:15:44 xxx sshd[3576]: User root from 211.55.48.179 not allowed because not listed in AllowUsers Nov 14 11:15:46 xxx sshd[3578]: Invalid user ghost from 211.55.48.179 Five tries from the above ip and if unsuccessful it gets overloaded in a table and all the states originating from that ip are killed. All the servers i have are web/mail ones, none of them is used for users, so i don't know if this is a good approach but i wrote it to help make an idea about it. a great day, v On Sat, Nov 15, 2008 at 5:00 AM, Lisa Casey wrote: > > > On Fri, 14 Nov 2008, Tom Marchand wrote: > >> Or michael is vacationing in Romania. > > Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been > there. I got rid of the michael account (it wasn't used anyway), and > downloaded a new copy of chkrootkit, installed it and ran it along with > chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough > prank? Anything else I ought to look at? Fortunately the michael account did > not have te ability to su to root. > > Lisa > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >